Beruflich Dokumente
Kultur Dokumente
IEEE:TopTenSoftwareSecurityDesignFlaws|DrDobb's
WelcomeGuest|LogIn|Register|Benefits
Subscribe
Newsletters
Search:
Home
Articles
Cloud
Mobile
News
Blogs
Parallel
SourceCode
.NET
DigitalLibrary
SourceCode
Dobb'sonDVD
JVMLanguages
SECURITY
Site
C/C++
Dobb'sTV
Tools
RSS
Webinars&Events
Design
Testing
WebDev
JoltAwards
SecurityRecentArticles
Permalink
IEEE:TopTenSoftwareSecurity
DesignFlaws
ByAdrianBridgwater,September02,2014
TheIEEECenterforSecureDesigncybersecurity
initiativehasreleasedareporttitled"AvoidingtheTop
10SoftwareSecurityDesignFlaws"
TheIEEECenterforSecureDesigncybersecurityinitiative
hasreleasedareporttitled"AvoidingtheTop10Software
SecurityDesignFlaws".Basedonrealworlddata,thereport
welcomedexpertsfromadiversegroupoforganizationsto
discusssoftwaresecuritydesignflawsthattheyhad
identifiedintheirowninternaldesignreviews.
Whatresultedwasalistofthetop10mostsignificant
softwaresecuritydesignflawsandthedesigntechniquesto
avoidthem.Practicaladvicerangesfromencouragingthe
correctuseofappliedcryptographytovalidatingeach
individualbitofdata.
TheInternetofOverhypedThings
SecurityIssuesinSwift:WhattheNewLanguageDid
NotFix
ToolingUpfortheMarriageoftheInternetofThings,
BigData,andCloudComputing
DeveloperReadingList
AfterHeartbleed:ALookatLanguagesthatSupport
Provability
MostPopular
Stories
Blogs
TheInternetofOverhypedThings
DeveloperReadingList
ASimpleandEfficientFFTImplementationinC++:
PartI
WritingLockFreeCode:ACorrectedQueue
SecurityIssuesinSwift:WhattheNewLanguageDid
NotFix
"Bugsandflawsaretwoverydifferenttypesofsecurity
defects,"saidparticipantGaryMcGraw,chieftechnology
officeratCigital."Webelievetherehasbeenquiteabit
morefocusoncommonbugsthantherehasbeenonsecure
designandtheavoidanceofflaws,whichisworryingsince
designflawsaccountfor50%ofsoftwaresecurityissues.
TheIEEECenterforSecureDesignallowsusachanceto
refocus,togatherrealdata,andtoshareourresultswith
theworldatlarge."
Thefollowinglistofrecommendationswasbornfromthe
workshoptohelpdevelopersavoidthetopsecuritydesign
flaws(eachtechniqueisdescribedindetailinthereport):
1.Earnorgive,butneverassume,trust
2.Useanauthenticationmechanismthatcannotbe
bypassedortamperedwith
3.Authorizeafteryouauthenticate
4.Strictlyseparatedataandcontrolinstructions,and
neverprocesscontrolinstructionsreceivedfrom
untrustedsources
5.Defineanapproachthatensuresalldataareexplicitly
validated
6.Usecryptographycorrectly
7.Identifysensitivedataandhowtheyshouldbe
handled
8.Alwaysconsidertheusers
9.Understandhowintegratingexternalcomponents
changesyourattacksurface
10.Beflexiblewhenconsideringfuturechangesto
objectsandactors
ViewAllVideos
Thismonth'sDr.Dobb'sJournal
RelatedReading
News
Commentary
CanYouHandleASingleVersionOfThe
Thismonth,Dr.Dobb'sTechDigestexplores
DevOps.Wehighlighttheemergingtrendofusing
http://www.drdobbs.com/security/ieeetoptensoftwaresecuritydesignfl/240168950
1/3
04/09/2014
IEEE:TopTenSoftwareSecurityDesignFlaws|DrDobb's
Truth?
GraphAPIsFromWhitepagesPRO
CrittercismKillsmAPMGremlins
LogentriesLiveTailforCloudDevOps
MoreNews
Slideshow
Video
lightweightcontainerstostandardizedev
environmentsanddeploymentstacks,andmuch
more!
Downloadthelatestissuetoday.>>
UpcomingEvents
JoltAwards:MobileDevelopmentTools
DeveloperReadingList
DeveloperReadingList
2012JoltAwards:MobileTools
MoreSlideshows
LiveEvents
HandsOnWebApplicationPenetrationTesting
InteropNewYork
BYOD:WhyandHowITShouldEmbraceMobility
InteropNewYork
DesigningtheVirtualNetworkfortheSoftware
DefinedDataCenterInteropNewYork
AchievingOperationalExcellenceThrough
DevOpsInteropNewYork
IsYourDataReallySafe?ASecurityChecklist
EveryoneMustImplementInteropNewYork
MostPopular
TheCurseofVersion6
ContainersforDevelopment
WhyBuildYourJavaProjectswithGradle
RatherthanAntorMaven?
DeveloperReadingList
MorePopular
WebCasts
MoreLiveEvents>>
FeaturedReports
MoreInsights
WhitePapers
TheEssentialGuidetoITTransformation
BuildaBusinessCase:DevelopingCustomApps
What'sthis?
SaaSandEDiscovery:NavigatingComplexWaters
Research:FederalGovernmentCloudComputing
Survey
SaaS2011:AdoptionSoars,YetDeployment
ConcernsLinger
Research:StateoftheITServiceDesk
DatabaseDefenses
More>>
More>>
Reports
StateofCloud2011:TimeforProcessMaturation
Research:FederalGovernmentCloud
ComputingSurvey
More>>
Webcasts
ClosingtheBookonWindowsServer2003:
PlanningforWindowsServer2012OpensNew
Possibilities
WantInformationFastorWantitRight?Learn
HowtoHaveBoth
FeaturedWhitepapers
What'sthis?
Top8ConsiderationsToEnableandSimplify
Mobility
TheEssentialGuidetoITTransformation
Consolidation:TheFoundationforITBusiness
Transformation
BuildaBusinessCase:DevelopingCustomApps
AdvancedEndpointandServerProtection
More>>
MostRecentPremiumContent
More>>
DigitalIssues
INFOLINK
LoginorRegistertoComment
Ghosteryblockedcommentspoweredby
Disqus.
http://www.drdobbs.com/security/ieeetoptensoftwaresecuritydesignfl/240168950
2/3
04/09/2014
IEEE:TopTenSoftwareSecurityDesignFlaws|DrDobb's
2014
Dr.Dobb'sJournal
AugustWebDevelopment
MayTesting
FebruaryLanguages
Dr.Dobb'sTechDigest
DevOps
OpenSource
Windowsand.NETprogramming
TheDesignofMessagingMiddlewareand10Tipsfrom
TechWriters
ParallelArrayOperationsinJava8andAndroidon
x86:JavaNativeInterfaceandtheAndroidNative
DevelopmentKit
2013
JanuaryMobileDevelopment
FebruaryParallelProgramming
MarchWindowsProgramming
AprilProgrammingLanguages
MayWebDevelopment
JuneDatabaseDevelopment
JulyTesting
AugustDebuggingandDefectManagement
SeptemberVersionControl
OctoberDevOps
NovemberReallyBigData
DecemberDesign
2012
JanuaryC&C++
FebruaryParallelProgramming
MarchMicrosoftTechnologies
AprilMobileDevelopment
MayDatabaseProgramming
JuneWebDevelopment
JulySecurity
AugustALM&DevelopmentTools
SeptemberCloud&WebDevelopment
OctoberJVMLanguages
NovemberTesting
DecemberDevOps
2011
FEATUREDUBMTECHSITES:InformationWeek|NetworkComputing|Dr.Dobb's|DarkReading
OURMARKETS:BusinessTechnology|Electronics|Game&AppDevelopment
WorkingWithUs:AdvertisingContacts|EventCalendar|TechMarketingSolutions|CorporateSite|ContactUs/Feedback
TermsofService|PrivacyStatement|Copyright2014UBMTech,Allrightsreserved
Dr.Dobb'sHome
Articles
News
AboutUs
Blogs
SourceCode
ContactUs
SiteMap
http://www.drdobbs.com/security/ieeetoptensoftwaresecuritydesignfl/240168950
PoweredbyZend/PHP
Dobb'sonDVD
Dobb'sTV
Webinars&Events
EditorialCalendar
3/3