Security experts identify top 10 software design flaws
Security experts at the IEEE Center for Secure Design (CSD) have published a report on the top 10 software security design flaws.
The report is based on real-world data collected at the world’s top technology companies and includes information on techniques to avoid the most significant software security design flaws.
According to the IEEE, practical advice ranges from encouraging the correct use of applied cryptography to validating each individual bit of data.
The CSD is part of a cyber-security initiative launched in 2014 by the IEEE Computer Society, an association for computing professionals.
The broader initiative is aimed at escalating the IEEE’s involvement in the field of cyber security.
The CSD was set up to shift some of the focus in security from finding bugs to identifying common design flaws in the hope that software architects can learn from others’ mistakes.
Its main aims are to provide guidance on recognising software system designs that are likely to be vulnerable to compromise, and on designing and building software systems with strong, identifiable security properties.
CSD founding members include Cigital, EMC, Harvard University, HP, Intel/McAfee, RSA and Twitter.
Its members believe proper security design has been the Achilles’ heel of security engineering for decades.
“The CSD will play a critical role in refocusing software security and security engineering on the most challenging open problem in security,” said Bob Lord, chief security officer at Twitter.
“By getting past the myopic focus on implementation bugs in code and talking about security design, the CSD does even the most advanced companies in the space a huge service.”
Gary McGraw, chief technology officer at Cigital and author of the book Software Security, said bugs and flaws are two very different types of security defect.
“We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying because design flaws account for 50% of software security issues,” he said.
McGraw said the CSD had provided the opportunity for its members to refocus, gather real data, and share the results with the world.
The report contains a list of recommendations drawn from a workshop to help developers avoid the top security design flaws. Each technique is described in detail in the report.
Summary of recommendations:
Earn or give, but never assume, trustUse an authentication mechanism that cannot be bypassed or tampered withAuthorise after you authenticateStrictly separate data and control instructions, and never process control instructions received from untrusted sourcesDefine an approach that ensures all data is explicitly validatedUse cryptography correctlyIdentify sensitive data and how it should be handledAlways consider the usersUnderstand how integrating external components changes your attack surfaceBe flexible when considering future changes to objects and actorRegister now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy$("a#eproductLogin").attr('href', function(i) { return $(this).attr('href') + '?fromURL=' + regFromUrl; });
0 commenti :
Posta un commento