Software Security Design Flaws

An IEEE report notes that "the security of many systems is breached due to design flaws" rather than a particular coding mistake or unique bug.

Read the report here (pdf).

The recent bug bounty trend reflects the common approach of picking things apart to find mistakes and bugs, whereas the IEEE wants to identify and improve poor design practices. By uncovering the top security flaws found in software, developers can learn to write better code and spend less time fixing security problems after the fact.

Changing accepted practices around software design sounds like a goal that's a bit big, even if it is warranted. Things typically roll out as soon as they work, not as soon as they're safe. Security is someone else's problem, unless you make security products. Will this attitude ever change?

Here are the top software security flaws they identified:

- Assuming trust
- Weak authentication
- Authorizing before authenticating
- Processing control instructions from untrusted sources (and keeping data and control instructions together)
- Failing to explicitly validate data
- Failing to identify and protect sensitive data
- Using cryptography incorrectly
- Failing to consider user experience; prioritizing security over the needs of the user
- Increasing the attack surface by using external components
- Using static security implementations instead of flexible ones