top ten software security design flaws
TRANSCRIPT
-
8/10/2019 Top Ten Software Security Design Flaws
1/3
04/09/2014 IEEE: Top Ten Software Security Design Flaws | Dr Dobb's
http://www.drdobbs.com/security/ieee-top-ten-software-security-design-fl/240168950 1/3
Subscribe
Newsletters
Digital Library
RSS
Cloud Mobile Parallel .NET JVM Languages C/C++ Tools Design Testing Web Dev Jolt Awards
SECURITYPermalink
IEEE: Top Ten Software SecurityDesign Flaws
By Adrian Bridgwater, September 02, 2014
The IEEE Center for Secure Design cybersecurity
initiative has released a report titled "Avoiding the Top
10 Software Security Design Flaws"
The IEEE Center for Secure Design cybersecurity initiative
has released a report titled "Avoiding the Top 10 Software
Security Design Flaws". Based on real-world data, the report
welcomed experts from a diverse group of organizations to
discuss software security design flaws that they hadidentified in their own internal design reviews.
What resulted was a list of the top 10 most significant
software security design flaws and the design techniques to
avoid them. Practical advice ranges from encouraging the
correct use of applied cryptography to validating each
individual bit of data.
"Bugs and flaws are two very different types of security
defects," said participant Gary McGraw, chief technology
officer at Cigital. "We believe there has been quite a bit
more focus on common bugs than there has been on secure
design and the avoidance of flaws, which is worrying since
design flaws account for 50% of software security issues.
The IEEE Center for SecureDesign allows us a chance to
refocus, to gather real data, and to share our results with
the world at large."
The following list of recommendations was born from the
workshop to help developers avoid the top security design
flaws (each technique is described in detail in the report):
1. Earn or give, but never assume, trust
2. Use an authentication mechanism that cannot be
bypassed or tampered with
3. Authorize after you authenticate
4. Strictly separate data and control instructions, and
never process control instructions received from
untrusted sources
5. Define an approach that ensures all data are explicitly
validated
6. Use cryptography correctly
7. Identify sensitive data and how they should be
handled
8. Always consider the users
9. Understand how integrating external components
changes your attack surface
10. Be flexible when considering future changes to
objects and actors
Related Reading
NewsCommentary
Can You Handle A Single Version Of The
Security Recent Articles
The Internet of Overhyped ThingsSecurity Issues in Swift: What the New Language DidNot FixTooling Up for the Marriage of the Internet of Things,Big Data, and Cloud ComputingDeveloper Reading List
After Heartbleed: A Look at Languages that SupportProvability
Welcome Guest | Log In | Register | Benefits
Search: Site Source Code
Home Articles News Blogs Source Code Dobb's on DVD Dobb's TV Webinars & Events
Stories Blogs
Most Popular
The Internet of Overhyped ThingsDeveloper Reading List
A Simple and Efficient FFT Implementation in C++:Part IWriting Lock-Free Code: A Corrected QueueSecurity Issues in Swift: What the New Language DidNot Fix
View All Videos
This month's Dr. Dobb's Journal
This month, Dr. Dobb's Tech Digest exploresDevOps. We highlight the emerging trend of using
http://www.drdobbs.com/cloud/can-you-handle-a-single-version-of-the-t/240168943?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/http://www.drdobbs.com/articleshttp://www.drdobbs.com/newshttp://www.drdobbs.com/blogshttp://www.drdobbs.com/sourcecodehttps://store.drdobbs.com/http://www.drdobbs.com/tvhttp://www.drdobbs.com/tvhttps://twitter.com/sharehttp://www.drdobbs.com/webinarshttp://www.drdobbs.com/tvhttps://store.drdobbs.com/http://www.drdobbs.com/sourcecodehttp://www.drdobbs.com/blogshttp://www.drdobbs.com/newshttp://www.drdobbs.com/articleshttp://www.drdobbs.com/http://www.drdobbs.com/cloud/can-you-handle-a-single-version-of-the-t/240168943?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://-/?-http://-/?-http://www.drdobbs.com/joltawardshttp://www.drdobbs.com/web-developmenthttp://www.drdobbs.com/testinghttp://www.drdobbs.com/architecture-and-designhttp://www.drdobbs.com/toolshttp://www.drdobbs.com/cpphttp://www.drdobbs.com/jvmhttp://www.drdobbs.com/windowshttp://www.drdobbs.com/parallelhttp://www.drdobbs.com/mobilehttp://www.drdobbs.com/cloudhttp://www.drdobbs.com/rss/http://www.informationweek.com/whitepaper?itc=ddj-header-twdlhttp://www.drdobbs.com/newsletters/http://www.drdobbs.com/subscribe/http://twitter.com/dr_dobbshttp://www.facebook.com/pages/Dr-Dobbs/17631669579 -
8/10/2019 Top Ten Software Security Design Flaws
2/3
04/09/2014 IEEE: Top Ten Software Security Design Flaws | Dr Dobb's
http://www.drdobbs.com/security/ieee-top-ten-software-security-design-fl/240168950 2/3
INFO-LINK
Login or Register to Comment
Ghostery blocked comments powered byDisqus.
Truth?Graph APIs From Whitepages PROCrittercism Kills mAPM GremlinsLogentries Live Tail for Cloud DevOpsMore News
SlideshowVideo
Jolt Awards: Mobile Development ToolsDeveloper Reading List
Developer Reading List2012 Jolt Awards: Mobile ToolsMore Slideshows
Most Popular
The Curse of Version 6Containers for DevelopmentWhy Build Your Java Projects with GradleRather than Ant or Maven?Developer Reading ListMore Popular
More Insights
White Papers
The Essential Guide to IT TransformationBuild a Business Case: Developing Custom Apps
More >>
Reports
State of Cloud 2011: Time for Process MaturationResearch: Federal Government CloudComputing Survey
More >>
Webcasts
Closing the Book on Windows Server 2003:Planning for Windows Server 2012 Opens NewPossibilitiesWant Information Fast or Want it Right? LearnHow to Have Both
More >>
What's this?
What's this?
More >>
More >>
Featured Reports
SaaS and E-Discovery: Navigating Complex Waters
Research: Federal Government Cloud ComputingSurveySaaS 2011: Adoption Soars, Yet DeploymentConcerns LingerResearch: State of the IT Service DeskDatabase Defenses
Featured Whitepapers
Top 8 Considerations To Enable and SimplifyMobilityThe Essential Guide to IT TransformationConsolidation: The Foundation for IT Business
TransformationBuild a Business Case: Developing Custom Apps
Advanced Endpoint and Server Protection
lightweight containers to standardize devenvironments and deployment stacks , and muchmore!
Download the latest issue today. >>
Live Events WebCasts
Upcoming Events
Hands-On Web Application Penetration Testing -Interop New York
BYOD: Why and How IT Should Embrace Mobility -Interop New YorkDesigning the Virtual Network for the Software-Defined Data Center - Interop New York
Achieving Operational Excellence ThroughDevOps - Interop New YorkIs Your Data Really Safe? A Security ChecklistEveryone Must Implement - Interop New York
More Live Events>>
Digital Issues
Most Recent Premium Content
http://www.drdobbs.com/cloud/can-you-handle-a-single-version-of-the-t/240168943?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/digitaledition/http://www.drdobbs.com/live-event/security/more.html?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_securityhttp://www.interop.com/newyork/scheduler/session/is-your-data-really-safe-a-security-checklist-everyone-must-implement?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://www.interop.com/newyork/scheduler/session/achieving-operational-excellence-through-devops?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://www.interop.com/newyork/scheduler/session/designing-the-virtual-network-for-the-software-defined-data-center?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://www.interop.com/newyork/scheduler/session/byod-why-and-how-it-should-embrace-mobility?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://www.interop.com/newyork/scheduler/session/hands-on-web-application-penetration-testing?cid=SBX_ddj_fture_LiveEvent__Other_security&itc=SBX_ddj_fture_LiveEvent__Other_security&_mc=MP_BTMSBXDDJFThttp://-/?-http://www.drdobbs.com/webcast/security/more.html?cid=SBX_ddj_well_Webcast__Other_security&itc=SBX_ddj_well_Webcast__Other_securityhttp://webinar.informationweek.com/15832?keycode=SBX&cid=SBX_ddj_well_Webcast__Other_security&itc=SBX_ddj_well_Webcast__Other_security&K=SBX_DDJ_WLhttp://www.enterpriseefficiency.com/webinar.asp?webinar_id=30045&webinar_promo=30445&cid=SBX_ddj_well_Webcast__Other_security&itc=SBX_ddj_well_Webcast__Other_security&K=SBX_DDJ_WLhttp://www.drdobbs.com/analytics/security/more.html?cid=SBX_ddj_well_Analytics__Other_security&itc=SBX_ddj_well_Analytics__Other_securityhttp://analytics.informationweek.com/abstract/13/6134/Outsourcing-Services/research-federal-government-cloud-computing-survey.html?cid=SBX_ddj_well_Analytics__Other_security&itc=SBX_ddj_well_Analytics__Other_securityhttp://analytics.informationweek.com/abstract/5/5116/Cloud-Computing/research-2011-state-of-cloud.html?cid=SBX_ddj_well_Analytics__Other_security&itc=SBX_ddj_well_Analytics__Other_securityhttp://www.drdobbs.com/whitepaper/security/more.html?cid=SBX_ddj_well_wp__Other_security&itc=SBX_ddj_well_wp__Other_securityhttp://www.informationweek.com/whitepaper/Business-Intelligence/Business-Process-Management/build-a-business-case-developing-custom-apps-wp1389728508?articleID=191740693&cid=SBX_ddj_well_wp__Other_security&itc=SBX_ddj_well_wp__Other_securityhttp://www.informationweek.com/whitepaper/Business-Intelligence/Business-Process-Management/the-essential-guide-to-it-transformation-wp1389729115?articleID=191740647&cid=SBX_ddj_well_wp__Other_security&itc=SBX_ddj_well_wp__Other_securityhttp://www.drdobbs.com/?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://www.drdobbs.com/architecture-and-design/developer-reading-list/240168591?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://www.drdobbs.com/jvm/why-build-your-java-projects-with-gradle/240168608?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://www.drdobbs.com/architecture-and-design/containers-for-development/240168801?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://www.drdobbs.com/architecture-and-design/the-curse-of-version-6/240168952?cid=SBX_ddj_related_mostpopular__Other_security&itc=SBX_ddj_related_mostpopular__Other_securityhttp://-/?-http://www.drdobbs.com/slideshows?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://www.drdobbs.com/joltawards/2012-jolt-awards-mobile-tools/240012517?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://www.drdobbs.com/architecture-and-design/developer-reading-list/240145159?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://www.drdobbs.com/tools/developer-reading-list/240166296?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://www.drdobbs.com/joltawards/jolt-awards-mobile-development-tools/240166387?cid=SBX_ddj_related_slideshow__Other_security&itc=SBX_ddj_related_slideshow__Other_securityhttp://-/?-http://-/?-http://www.drdobbs.com/news?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/cloud/logentries-live-tail-for-cloud-devops/240168877?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/mobile/crittercism-kills-mapm-gremlins/240168897?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/database/graph-apis-from-whitepages-pro/240168933?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_securityhttp://www.drdobbs.com/cloud/can-you-handle-a-single-version-of-the-t/240168943?cid=SBX_ddj_related_news__Other_security&itc=SBX_ddj_related_news__Other_security -
8/10/2019 Top Ten Software Security Design Flaws
3/3
04/09/2014 IEEE: Top Ten Software Security Design Flaws | Dr Dobb's
http://www.drdobbs.com/security/ieee-top-ten-software-security-design-fl/240168950 3/3
Powered by Zend/PHP
FEATURED UBM TECH SITES: InformationWeek| Network Computing| Dr. Dobb's| Dark Reading
OUR MARKETS: Business Technology| Electronics| Game & App Development
Working With Us:Advertising Contacts | Event Calendar | Tech Marketing Solutions | Corporate Site | Contact Us / Feedback
Terms of Service | Privacy Statement | Copyright 2014 UBM Tech, All rights reserved
Dr. Dobb's Home Art icles News Blogs Sourc e Code Dobb's on DVD Dobb's TV Webinar s & Events
About Us Contact Us Site Map Editorial Calendar
2014Dr. Dobb's Journal
August - Web DevelopmentMay - TestingFebruary - Languages
Dr. Dobb's Tech DigestDevOpsOpen SourceWindows and .NET programmingThe Design of Messaging Middleware and 10 Tips fromTech WritersParallel Array Operations in Java 8 and Android onx86: Java Native Interface and the Android Native
Development Kit
2013January - Mobile DevelopmentFebruary - Parallel ProgrammingMarch - Windows Programming
April - Programming LanguagesMay - Web DevelopmentJune - Database DevelopmentJuly - Testing
August - Debugging and Defect ManagementSeptember - Version ControlOctober - DevOpsNovember- Really Big DataDecember - Design
2012January - C & C++February - Parallel ProgrammingMarch - Microsoft Technologies
April - Mobile DevelopmentMay - Database ProgrammingJune - Web DevelopmentJuly - Security
August - ALM & Development ToolsSeptember - Cloud & Web DevelopmentOctober - JVM LanguagesNovember - TestingDecember - DevOps
2011
http://www.drdobbs.com/edcalhttp://www.drdobbs.com/sitemaphttp://www.drdobbs.com/contactushttp://www.drdobbs.com/aboutushttp://www.drdobbs.com/webinarshttp://www.drdobbs.com/tvhttps://store.drdobbs.com/http://www.drdobbs.com/sourcecodehttp://www.drdobbs.com/blogshttp://www.drdobbs.com/newshttp://www.drdobbs.com/articleshttp://www.drdobbs.com/http://www.zend.com/