Google, Twitter, and HP are teaming up with 10 other technology companies and universities to help developers design secure software and write better code.
An initiative under the Institute of Electrical and Electronics Engineers (IEEE) Computer Society, the new group focuses on practical recommendations for secure software design.
The other founding members of IEEE Center for Secure Design (IEEE CSD) are Athens University of Economics and Business, Cigital, EMC, George Washington University, Harvard University, Intel/McAfee, RSA, Sadosky Foundation, Ministry of Science, Technology and Productive Innovation of Argentina, and the University of Washington.
The group also released the “Avoiding the Top 10 Software Security Design Flaws” report on Aug. 27 outlining the 10 best practices to avoid common software flaws. The report is the result of a workshop where representatives from each of the founding members met to discuss software security design flaws that they had identified in their own internal design reviews.
“The Center for Secure Design will play a key role in refocusing software security on some of the most challenging open design problems in security,” said Neil Daswani of the security engineering team at Twitter. “By putting focus on security design and not just focusing on implementation bugs in code, the CSD does even the most advanced companies in the space a huge service.”
IEEE CSD was careful to differentiate between flaws and bugs in its report, noting that flaws generally are the result of poor design decisions rather than mistakes in programming. The report covered improper use of encryption as well as the necessity of validating every piece of input data.
“We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying since design flaws account for 50 per cent of software security issues,” said Gary McGraw, chief technology officer at Cigital.
The list of recommendations is below, with more details provided in the report, available on the IEEE CSD website.
• Earn or give, but never assume, trust
• Use an authentication mechanism that cannot be bypassed or tampered with
• Authorize after you authenticate
• Strictly separate data and control instructions, and never process control instructions received from untrusted sources
• Define an approach that ensures all data are explicitly validated
• Use cryptography correctly
• Identify sensitive data and how they should be handled
• Always consider the users
• Understand how integrating external components changes your attack surface
• Be flexible when considering future changes to objects and actors