The IEEE Center for Secure Design has published a report on the Top 10 software security design flaws (and how to avoid them).
When it comes to making sure software is secure, too much of the attention is focused on bugs, and not enough of the conversation is about design flaws, according to Gary McGraw, CTO of security software provider Cigital, one of the founding members of the Center for Secure Design, an organization made up of technology and security companies and researchers.
“Bugs and flaws are two very different types of security defects,” he said. “We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying since design flaws account for 50% of software security issues.”
(Related: How developers are prioritizing security)
When it comes to cyber attacks, even the biggest companies are susceptible to an attack, and it can be as easy as not validating data or putting sensitive data on a client’s system, thinking attackers won’t find it. In fact, JPMorgan Chase and at least four other U.S. banks were recently involved in a cyber attack reportedly stemming from an employee’s personal computer that was infected with malware.
To help protect software systems, the Center for Secure Design has come up with a list of the Top 10 software security design flaws, and some practices for avoiding them.
1. Incorrect trust assumptions: Don’t assume trust. Authorization, access control, security policy enforcement and embedded sensitive data should never be placed in client software because users and attackers will find them, according to the report. Also, never trust any data sent from clients. Make sure all data received is properly validated.
2. Broken authentication mechanisms: One of the main goals of secure software design is to prevent attackers and even users from gaining access to a system without validating identity, according to the report. The Center for Secure Design recommended having a single authentication mechanism leverage one or more factors of an application’s requirements, and making sure authentication credentials have a limited lifetime, are unforgeable, and are stored on the system.