04/09/2014

IEEE:TopTenSoftwareSecurityDesignFlaws|DrDobb's

WelcomeGuest|LogIn|Register|Benefits

Subscribe
Newsletters

Search:

Home

Articles

Cloud

Mobile

News

Blogs

Parallel

SourceCode

.NET

DigitalLibrary

SourceCode

Dobb'sonDVD

JVMLanguages

SECURITY

Site

C/C++

Dobb'sTV

Tools

RSS
Webinars&Events

Design

Testing

WebDev

JoltAwards

SecurityRecentArticles
Permalink

IEEE:TopTenSoftwareSecurity
DesignFlaws
ByAdrianBridgwater,September02,2014

TheIEEECenterforSecureDesigncybersecurity
initiativehasreleasedareporttitled"AvoidingtheTop
10SoftwareSecurityDesignFlaws"
TheIEEECenterforSecureDesigncybersecurityinitiative
hasreleasedareporttitled"AvoidingtheTop10Software
SecurityDesignFlaws".Basedonrealworlddata,thereport
welcomedexpertsfromadiversegroupoforganizationsto
discusssoftwaresecuritydesignflawsthattheyhad
identifiedintheirowninternaldesignreviews.
Whatresultedwasalistofthetop10mostsignificant
softwaresecuritydesignflawsandthedesigntechniquesto
avoidthem.Practicaladvicerangesfromencouragingthe
correctuseofappliedcryptographytovalidatingeach
individualbitofdata.

TheInternetofOverhypedThings
SecurityIssuesinSwift:WhattheNewLanguageDid
NotFix
ToolingUpfortheMarriageoftheInternetofThings,
BigData,andCloudComputing
DeveloperReadingList
AfterHeartbleed:ALookatLanguagesthatSupport
Provability

MostPopular
Stories

Blogs

TheInternetofOverhypedThings
DeveloperReadingList
ASimpleandEfficientFFTImplementationinC++:
PartI
WritingLockFreeCode:ACorrectedQueue
SecurityIssuesinSwift:WhattheNewLanguageDid
NotFix

"Bugsandflawsaretwoverydifferenttypesofsecurity
defects,"saidparticipantGaryMcGraw,chieftechnology
officeratCigital."Webelievetherehasbeenquiteabit
morefocusoncommonbugsthantherehasbeenonsecure
designandtheavoidanceofflaws,whichisworryingsince
designflawsaccountfor50%ofsoftwaresecurityissues.
TheIEEECenterforSecureDesignallowsusachanceto
refocus,togatherrealdata,andtoshareourresultswith
theworldatlarge."
Thefollowinglistofrecommendationswasbornfromthe
workshoptohelpdevelopersavoidthetopsecuritydesign
flaws(eachtechniqueisdescribedindetailinthereport):
1.Earnorgive,butneverassume,trust
2.Useanauthenticationmechanismthatcannotbe
bypassedortamperedwith
3.Authorizeafteryouauthenticate
4.Strictlyseparatedataandcontrolinstructions,and
neverprocesscontrolinstructionsreceivedfrom
untrustedsources
5.Defineanapproachthatensuresalldataareexplicitly
validated
6.Usecryptographycorrectly
7.Identifysensitivedataandhowtheyshouldbe
handled
8.Alwaysconsidertheusers
9.Understandhowintegratingexternalcomponents
changesyourattacksurface
10.Beflexiblewhenconsideringfuturechangesto
objectsandactors

ViewAllVideos

Thismonth'sDr.Dobb'sJournal

RelatedReading
News
Commentary
CanYouHandleASingleVersionOfThe

Thismonth,Dr.Dobb'sTechDigestexplores
DevOps.Wehighlighttheemergingtrendofusing

http://www.drdobbs.com/security/ieeetoptensoftwaresecuritydesignfl/240168950

1/3

04/09/2014

IEEE:TopTenSoftwareSecurityDesignFlaws|DrDobb's

Truth?
GraphAPIsFromWhitepagesPRO
CrittercismKillsmAPMGremlins
LogentriesLiveTailforCloudDevOps
MoreNews
Slideshow
Video

lightweightcontainerstostandardizedev
environmentsanddeploymentstacks,andmuch
more!
Downloadthelatestissuetoday.>>

UpcomingEvents

JoltAwards:MobileDevelopmentTools
DeveloperReadingList
DeveloperReadingList
2012JoltAwards:MobileTools
MoreSlideshows

LiveEvents

HandsOnWebApplicationPenetrationTesting
InteropNewYork
BYOD:WhyandHowITShouldEmbraceMobility
InteropNewYork
DesigningtheVirtualNetworkfortheSoftware
DefinedDataCenterInteropNewYork
AchievingOperationalExcellenceThrough
DevOpsInteropNewYork
IsYourDataReallySafe?ASecurityChecklist
EveryoneMustImplementInteropNewYork

MostPopular
TheCurseofVersion6
ContainersforDevelopment
WhyBuildYourJavaProjectswithGradle
RatherthanAntorMaven?
DeveloperReadingList
MorePopular

WebCasts

MoreLiveEvents>>

FeaturedReports

MoreInsights
WhitePapers
TheEssentialGuidetoITTransformation
BuildaBusinessCase:DevelopingCustomApps

What'sthis?

SaaSandEDiscovery:NavigatingComplexWaters
Research:FederalGovernmentCloudComputing
Survey
SaaS2011:AdoptionSoars,YetDeployment
ConcernsLinger
Research:StateoftheITServiceDesk
DatabaseDefenses

More>>
More>>

Reports
StateofCloud2011:TimeforProcessMaturation
Research:FederalGovernmentCloud
ComputingSurvey
More>>

Webcasts
ClosingtheBookonWindowsServer2003:
PlanningforWindowsServer2012OpensNew
Possibilities
WantInformationFastorWantitRight?Learn
HowtoHaveBoth

FeaturedWhitepapers

What'sthis?

Top8ConsiderationsToEnableandSimplify
Mobility
TheEssentialGuidetoITTransformation
Consolidation:TheFoundationforITBusiness
Transformation
BuildaBusinessCase:DevelopingCustomApps
AdvancedEndpointandServerProtection
More>>

MostRecentPremiumContent

More>>

DigitalIssues
INFOLINK

LoginorRegistertoComment

Ghosteryblockedcommentspoweredby
Disqus.

http://www.drdobbs.com/security/ieeetoptensoftwaresecuritydesignfl/240168950

2/3

04/09/2014

IEEE:TopTenSoftwareSecurityDesignFlaws|DrDobb's
2014
Dr.Dobb'sJournal
AugustWebDevelopment
MayTesting
FebruaryLanguages
Dr.Dobb'sTechDigest
DevOps
OpenSource
Windowsand.NETprogramming
TheDesignofMessagingMiddlewareand10Tipsfrom
TechWriters
ParallelArrayOperationsinJava8andAndroidon
x86:JavaNativeInterfaceandtheAndroidNative
DevelopmentKit
2013
JanuaryMobileDevelopment
FebruaryParallelProgramming
MarchWindowsProgramming
AprilProgrammingLanguages
MayWebDevelopment
JuneDatabaseDevelopment
JulyTesting
AugustDebuggingandDefectManagement
SeptemberVersionControl
OctoberDevOps
NovemberReallyBigData
DecemberDesign
2012
JanuaryC&C++
FebruaryParallelProgramming
MarchMicrosoftTechnologies
AprilMobileDevelopment
MayDatabaseProgramming
JuneWebDevelopment
JulySecurity
AugustALM&DevelopmentTools
SeptemberCloud&WebDevelopment
OctoberJVMLanguages
NovemberTesting
DecemberDevOps
2011

FEATUREDUBMTECHSITES:InformationWeek|NetworkComputing|Dr.Dobb's|DarkReading
OURMARKETS:BusinessTechnology|Electronics|Game&AppDevelopment
WorkingWithUs:AdvertisingContacts|EventCalendar|TechMarketingSolutions|CorporateSite|ContactUs/Feedback
TermsofService|PrivacyStatement|Copyright2014UBMTech,Allrightsreserved

Dr.Dobb'sHome

Articles

News
AboutUs

Blogs

SourceCode

ContactUs

SiteMap

http://www.drdobbs.com/security/ieeetoptensoftwaresecuritydesignfl/240168950

PoweredbyZend/PHP

Dobb'sonDVD

Dobb'sTV

Webinars&Events

EditorialCalendar

3/3