top ten software security design flaws

8/10/2019 Top Ten Software Security Design Flaws

1/3

04/09/2014 IEEE: Top Ten Software Security Design Flaws | Dr Dobb's

http://www.drdobbs.com/security/ieee-top-ten-software-security-design-fl/240168950 1/3

Subscribe

Newsletters

Digital Library

RSS

Cloud Mobile Parallel .NET JVM Languages C/C++ Tools Design Testing Web Dev Jolt Awards

SECURITYPermalink

IEEE: Top Ten Software SecurityDesign Flaws

By Adrian Bridgwater, September 02, 2014

The IEEE Center for Secure Design cybersecurity

initiative has released a report titled "Avoiding the Top

10 Software Security Design Flaws"

The IEEE Center for Secure Design cybersecurity initiative

has released a report titled "Avoiding the Top 10 Software

Security Design Flaws". Based on real-world data, the report

welcomed experts from a diverse group of organizations to

discuss software security design flaws that they hadidentified in their own internal design reviews.

What resulted was a list of the top 10 most significant

software security design flaws and the design techniques to

avoid them. Practical advice ranges from encouraging the

correct use of applied cryptography to validating each

individual bit of data.

"Bugs and flaws are two very different types of security

defects," said participant Gary McGraw, chief technology

officer at Cigital. "We believe there has been quite a bit

more focus on common bugs than there has been on secure

design and the avoidance of flaws, which is worrying since

design flaws account for 50% of software security issues.

The IEEE Center for SecureDesign allows us a chance to

refocus, to gather real data, and to share our results with

the world at large."

The following list of recommendations was born from the

workshop to help developers avoid the top security design

flaws (each technique is described in detail in the report):

1. Earn or give, but never assume, trust

2. Use an authentication mechanism that cannot be

bypassed or tampered with

3. Authorize after you authenticate

4. Strictly separate data and control instructions, and

never process control instructions received from

untrusted sources

5. Define an approach that ensures all data are explicitly

validated

6. Use cryptography correctly

7. Identify sensitive data and how they should be

handled

8. Always consider the users

9. Understand how integrating external components

changes your attack surface

10. Be flexible when considering future changes to

objects and actors

Related Reading

NewsCommentary

Can You Handle A Single Version Of The

Security Recent Articles

The Internet of Overhyped ThingsSecurity Issues in Swift: What the New Language DidNot FixTooling Up for the Marriage of the Internet of Things,Big Data, and Cloud ComputingDeveloper Reading List

After Heartbleed: A Look at Languages that SupportProvability

Welcome Guest | Log In | Register | Benefits

Search: Site Source Code

Home Articles News Blogs Source Code Dobb's on DVD Dobb's TV Webinars & Events

Stories Blogs

Most Popular

The Internet of Overhyped ThingsDeveloper Reading List

A Simple and Efficient FFT Implementation in C++:Part IWriting Lock-Free Code: A Corrected QueueSecurity Issues in Swift: What the New Language DidNot Fix

View All Videos

This month's Dr. Dobb's Journal

This month, Dr. Dobb's Tech Digest exploresDevOps. We highlight the emerging trend of using
http://www.drdobbs.com/cloud/can-you-handle-a-single-version-of-the-t/240168943?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/http://www.drdobbs.com/articleshttp://www.drdobbs.com/newshttp://www.drdobbs.com/blogshttp://www.drdobbs.com/sourcecodehttps://store.drdobbs.com/http://www.drdobbs.com/tvhttp://www.drdobbs.com/tvhttps://twitter.com/sharehttp://www.drdobbs.com/webinarshttp://www.drdobbs.com/tvhttps://store.drdobbs.com/http://www.drdobbs.com/sourcecodehttp://www.drdobbs.com/blogshttp://www.drdobbs.com/newshttp://www.drdobbs.com/articleshttp://www.drdobbs.com/http://www.drdobbs.com/cloud/can-you-handle-a-single-version-of-the-t/240168943?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://-/?-http://-/?-http://www.drdobbs.com/joltawardshttp://www.drdobbs.com/web-developmenthttp://www.drdobbs.com/testinghttp://www.drdobbs.com/architecture-and-designhttp://www.drdobbs.com/toolshttp://www.drdobbs.com/cpphttp://www.drdobbs.com/jvmhttp://www.drdobbs.com/windowshttp://www.drdobbs.com/parallelhttp://www.drdobbs.com/mobilehttp://www.drdobbs.com/cloudhttp://www.drdobbs.com/rss/http://www.informationweek.com/whitepaper?itc=ddj-header-twdlhttp://www.drdobbs.com/newsletters/http://www.drdobbs.com/subscribe/http://twitter.com/dr_dobbshttp://www.facebook.com/pages/Dr-Dobbs/17631669579


2/3



INFO-LINK

Login or Register to Comment

Ghostery blocked comments powered byDisqus.

Truth?Graph APIs From Whitepages PROCrittercism Kills mAPM GremlinsLogentries Live Tail for Cloud DevOpsMore News

SlideshowVideo

Jolt Awards: Mobile Development ToolsDeveloper Reading List

Developer Reading List2012 Jolt Awards: Mobile ToolsMore Slideshows

Most Popular

The Curse of Version 6Containers for DevelopmentWhy Build Your Java Projects with GradleRather than Ant or Maven?Developer Reading ListMore Popular

More Insights

White Papers

The Essential Guide to IT TransformationBuild a Business Case: Developing Custom Apps

More >>

Reports

State of Cloud 2011: Time for Process MaturationResearch: Federal Government CloudComputing Survey

More >>

Webcasts

Closing the Book on Windows Server 2003:Planning for Windows Server 2012 Opens NewPossibilitiesWant Information Fast or Want it Right? LearnHow to Have Both

More >>

What's this?

What's this?

More >>

More >>

Featured Reports

SaaS and E-Discovery: Navigating Complex Waters

Research: Federal Government Cloud ComputingSurveySaaS 2011: Adoption Soars, Yet DeploymentConcerns LingerResearch: State of the IT Service DeskDatabase Defenses

Featured Whitepapers

Top 8 Considerations To Enable and SimplifyMobilityThe Essential Guide to IT TransformationConsolidation: The Foundation for IT Business

TransformationBuild a Business Case: Developing Custom Apps

Advanced Endpoint and Server Protection

lightweight containers to standardize devenvironments and deployment stacks , and muchmore!

Download the latest issue today. >>

Live Events WebCasts

Upcoming Events

Hands-On Web Application Penetration Testing -Interop New York

BYOD: Why and How IT Should Embrace Mobility -Interop New YorkDesigning the Virtual Network for the Software-Defined Data Center - Interop New York

Achieving Operational Excellence ThroughDevOps - Interop New YorkIs Your Data Really Safe? A Security ChecklistEveryone Must Implement - Interop New York

More Live Events>>

Digital Issues

Most Recent Premium Content
http://www.drdobbs.com/cloud/can-you-handle-a-single-version-of-the-t/240168943?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/digitaledition/http://www.drdobbs.com/live-event/security/more.html?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_securityhttp://www.interop.com/newyork/scheduler/session/is-your-data-really-safe-a-security-checklist-everyone-must-implement?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://www.interop.com/newyork/scheduler/session/achieving-operational-excellence-through-devops?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://www.interop.com/newyork/scheduler/session/designing-the-virtual-network-for-the-software-defined-data-center?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://www.interop.com/newyork/scheduler/session/byod-why-and-how-it-should-embrace-mobility?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://www.interop.com/newyork/scheduler/session/hands-on-web-application-penetration-testing?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://-/?-http://www.drdobbs.com/webcast/security/more.html?cid=SBX_ddj_well_Webcast__Other_security&itc=SBX_ddj_well_Webcast__Other_securityhttp://webinar.informationweek.com/15832?keycode=SBX&cid=SBX_ddj_well_Webcast__Other_security&itc=SBX_ddj_well_Webcast__Other_security&K=SBX_DDJ_WLhttp://www.enterpriseefficiency.com/webinar.asp?webinar_id=30045&webinar_promo=30445&cid=SBX_ddj_well_Webcast__Other_security&itc=SBX_ddj_well_Webcast__Other_security&K=SBX_DDJ_WLhttp://www.drdobbs.com/analytics/security/more.html?cid=SBX_ddj_well_Analytics__Other_security&itc=SBX_ddj_well_Analytics__Other_securityhttp://analytics.informationweek.com/abstract/13/6134/Outsourcing-Services/research-federal-government-cloud-computing-survey.html?cid=SBX_ddj_well_Analytics__Other_security&itc=SBX_ddj_well_Analytics__Other_securityhttp://analytics.informationweek.com/abstract/5/5116/Cloud-Computing/research-2011-state-of-cloud.html?cid=SBX_ddj_well_Analytics__Other_security&itc=SBX_ddj_well_Analytics__Other_securityhttp://www.drdobbs.com/whitepaper/security/more.html?cid=SBX_ddj_well_wp__Other_security&itc=SBX_ddj_well_wp__Other_securityhttp://www.informationweek.com/whitepaper/Business-Intelligence/Business-Process-Management/build-a-business-case-developing-custom-apps-wp1389728508?articleID=191740693&cid=SBX_ddj_well_wp__Other_security&itc=SBX_ddj_well_wp__Other_securityhttp://www.informationweek.com/whitepaper/Business-Intelligence/Business-Process-Management/the-essential-guide-to-it-transformation-wp1389729115?articleID=191740647&cid=SBX_ddj_well_wp__Other_security&itc=SBX_ddj_well_wp__Other_securityhttp://www.drdobbs.com/?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://www.drdobbs.com/architecture-and-design/developer-reading-list/240168591?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://www.drdobbs.com/jvm/why-build-your-java-projects-with-gradle/240168608?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://www.drdobbs.com/architecture-and-design/containers-for-development/240168801?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://www.drdobbs.com/architecture-and-design/the-curse-of-version-6/240168952?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://-/?-http://www.drdobbs.com/slideshows?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://www.drdobbs.com/joltawards/2012-jolt-awards-mobile-tools/240012517?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://www.drdobbs.com/architecture-and-design/developer-reading-list/240145159?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://www.drdobbs.com/tools/developer-reading-list/240166296?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://www.drdobbs.com/joltawards/jolt-awards-mobile-development-tools/240166387?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://-/?-http://-/?-http://www.drdobbs.com/news?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/cloud/logentries-live-tail-for-cloud-devops/240168877?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/mobile/crittercism-kills-mapm-gremlins/240168897?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/database/graph-apis-from-whitepages-pro/240168933?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/cloud/can-you-handle-a-single-version-of-the-t/240168943?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_security


3/3



Powered by Zend/PHP

FEATURED UBM TECH SITES: InformationWeek| Network Computing| Dr. Dobb's| Dark Reading

OUR MARKETS: Business Technology| Electronics| Game & App Development

Working With Us:Advertising Contacts | Event Calendar | Tech Marketing Solutions | Corporate Site | Contact Us / Feedback

Terms of Service | Privacy Statement | Copyright 2014 UBM Tech, All rights reserved

Dr. Dobb's Home Art icles News Blogs Sourc e Code Dobb's on DVD Dobb's TV Webinar s & Events

About Us Contact Us Site Map Editorial Calendar

2014Dr. Dobb's Journal

August - Web DevelopmentMay - TestingFebruary - Languages

Dr. Dobb's Tech DigestDevOpsOpen SourceWindows and .NET programmingThe Design of Messaging Middleware and 10 Tips fromTech WritersParallel Array Operations in Java 8 and Android onx86: Java Native Interface and the Android Native

Development Kit

2013January - Mobile DevelopmentFebruary - Parallel ProgrammingMarch - Windows Programming

April - Programming LanguagesMay - Web DevelopmentJune - Database DevelopmentJuly - Testing

August - Debugging and Defect ManagementSeptember - Version ControlOctober - DevOpsNovember- Really Big DataDecember - Design

2012January - C & C++February - Parallel ProgrammingMarch - Microsoft Technologies

April - Mobile DevelopmentMay - Database ProgrammingJune - Web DevelopmentJuly - Security

August - ALM & Development ToolsSeptember - Cloud & Web DevelopmentOctober - JVM LanguagesNovember - TestingDecember - DevOps

2011
http://www.drdobbs.com/edcalhttp://www.drdobbs.com/sitemaphttp://www.drdobbs.com/contactushttp://www.drdobbs.com/aboutushttp://www.drdobbs.com/webinarshttp://www.drdobbs.com/tvhttps://store.drdobbs.com/http://www.drdobbs.com/sourcecodehttp://www.drdobbs.com/blogshttp://www.drdobbs.com/newshttp://www.drdobbs.com/articleshttp://www.drdobbs.com/http://www.zend.com/

top ten software security design flaws

Documents