10 Common Software Security Design Flaws

  /     /     /  
Publicated : 22/11/2024   Category : security

10 Common Software Security Design Flaws


Google, Twitter, and others identify the most common software design mistakes -- compiled from their own organizations -- that lead to security woes and how to avoid them.


Its not all about the security bugs: Mistakes in how a software applications security is designed can lead to major breaches like that suffered by the mega-retailer Target.
Security experts from Cigital, Google, Twitter, HP, McAfee, EMC, RSA, Harvard University, George Washington University, Athens University of Economics and Business, the Sandosky Foundation, and the University of Washington as part of the IEEE Center for Secure Design published a report today that pinpoints 10 of the most common software security design flaws they collectively found in their own development programs.
When you can solve a problem at the [software] design phase, it automatically solves a bunch of problems later on in the stages, says Neil Daswani, who is with Twitters security engineering team. Its very cost-effective to solve security at the design stage.
The organizations came up with a top 10 list during a workshop session this spring, where each brought along examples of design flaws it had experienced. What we did as a group of companies is dump out a list based on the overlap in all the design issues brought to the table, Daswani says.
To date, the security industry has mostly been laser-focused on finding and eradicating security vulnerabilities or bugs. There are plenty of lists available, such as the
OWASP Top 10
, that provide the most common software bugs in development. But design flaws -- such as using encryption incorrectly or not validating data properly -- can also be exploited by attackers or lead to security bugs. These flaws can be less noticeable on the surface but just as deadly if abused by an attacker.
Getting software designers and architects what they need to think about when building software is just as important as getting developers to think about bugs, says Gary McGraw, CTO at Cigital and a member of the team behind the new Avoiding the Top 10 Software Security Design Flaws report. Unfortunately, not much attention is paid to that.
With cross-site scripting (XSS) vulnerabilities, for example, a simple design change can wipe out the possibility of those bugs in an application, he says. You can make a change to the design of the API of an application that could eliminate an entire category of bugs.
According to McGraw, Targets data breach was a real-world example of a design flaw leading to a hack. The environment was crunchy on the outside and chewy in the middle. As a result, it was easy to get to the middle where all the data was stored once the attackers had compromised the point-of-sale system. The design of the communications and storage… were [poorly] done, he says. Often a bug provides a toehold into a system to be exploited because of bad security design.
Twitter already is implementing its own software security design flaw prevention program based on the report. Daswani says an internal Twitter document specifically recommends how to design its software securely. For example, we recommend the use of a certain number of templating frameworks -- the developers choose one -- so its more likely that their code wont be vulnerable to cross-site scripting and other bugs.
One reason XSS is so prevalent in software today is that, when you build a web application, its easy to design it with inherent flaws at the user interface. If youre not careful about what data you output to the user interface, sometimes the browser at the other end can get confused and think the data might be code that has to be executed, he says. By recommending a templating language, it makes a clear delineation on what is considered code and what is to be considered data. That sure makes it harder to have a bug like cross-site scripting.
The report recommends how to prevent each of the 10 most common software security design flaws:
1. Earn or give, but never assume, trust.
2. Use an authentication mechanism that cannot be bypassed or tampered with.
3. Authorize after you authenticate.
4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources.
5. Define an approach that ensures all data are explicitly validated.
6. Use cryptography correctly.
7. Identify sensitive data and how it should be handled.
8. Always consider the users.
9. Understand how integrating external components changes your attack surface.
10. Be flexible when considering future changes to objects and actors.
Its [an] important point that the vendor community in software security and even OWASP has a very myopic focus on bugs, McGraw says. That leads some customers to believe that software security is a bug problem only, but design flaws account for about half of software security issues.
Tom Brennan, global vice president of the OWASP Foundation, says the approach of attacking the source of the problem makes sense, and his organization is on the same page as the others.
I am glad to see colleagues promoting a proactive risk approach to the core source of the problem and not the symptoms, Brennan says. IEEE, MITRE, OWASP, ISC2 ASAC, and other associations have been shifting the focus in security from bug hunts and finding bugs to identifying common design flaws to communicate more effectively with the technology risk officers.
In practice, as a penetration tester, we continue to identify, prioritize, and make recommendations for individual findings, he says. Providing guidance from individual vulnerabilities to eradication of entire classes of problems elevates the discussion to the board of directors level.
Daswani says the best time to ensure secure coding is from the get-go, with development and design teams working together. Its important to include development teams as part of the design. Entire classes of bugs can be knocked out.
Dan Kaminsky, chief scientist at WhiteOps, calls the design flaw approach interesting. The hard problem in computer security is operationalization -- how do we take the hard-won lessons learned from years of getting hacked and apply them to real-world systems that really need to be protected? he says. The IEEE here is doing something interesting. This guidance is for architects -- not necessarily of the end software, but of the frameworks that everything is built out of. These are security principles for our Legos and, if made properly concrete, will be helpful.
Addressing potential design flaws even as early as during the requirements phase could help.
Its important to ask questions that identify what all the different ways the software will get used, Daswani says. The more you can put in design-level criteria and decisions in place, the more you can help mitigate entire classes of bugs before the code is even developed.
A copy of the full report is available
here
for download.

Last News

▸ ArcSight prepares for future at user conference post HP acquisition. ◂
Discovered: 07/01/2025
Category: security
▸ Samsung Epic 4G: First To Use Media Hub ◂
Discovered: 07/01/2025
Category: security
▸ Many third-party software fails security tests ◂
Discovered: 07/01/2025
Category: security


Cyber Security Categories
Google Dorks Database
 		Exploits Vulnerability
 		Exploit Shellcodes

CVE List
 		Tools/Apps
 		News/Aarticles

Phishing Database
 		Deepfake Detection
 		Trends/Statistics & Live Infos



Tags:
10 Common Software Security Design Flaws