HP* and Fortify, before its acquisition, have innovated around the people, process, and technology required to build secure software for many years, which is why I’m honored to represent HP* as a founding member of the IEEE’s Center for Secure Design (CSD) initiative. The CSD aims to help architects and developers tackle the hard work of designing and coding software with strong, identifiable security concepts built in. We also hope to help builders avoid flaws that, while easy to catch early in the development process, can prove incredibly difficult to eradicate once they’re baked into code.
The challenges and rewards of designing software that’s both rich in features and secure are well known. The CSD initiative draws upon experts from industry, academia, and government – a group familiar with security and development in various real-world environments. With experts indicating that 50 percent of all software security issues can be traced back to design flaws, we felt a genuine responsibility to build clear, actionable guidance that can serve developers without requiring them to throw out their usual work methodology.
Today we’re releasing the first results of that work in the form of a whitepaper, “Avoiding the Top 10 Software Security Design Flaws,” which presents concrete, clear recommendations for designing secure software.
The paper is divided into ten sections, all chosen and based on the research our team collected in multi-day workshop:
- Earn or give, but never assume, trust.
- Use an authentication mechanism that cannot be bypassed or tampered with.
- Authorize after you authenticate.
- Strictly separate data and control instructions, and never process control instructions received from untrusted sources.
- Define an approach that ensures all data are explicitly validated.
- Use cryptography correctly.
- Identify sensitive data and how they should be handled.
- Always consider the users.
- Understand how integrating external components changes your attack surface.
- Be flexible when considering future changes to objects and actors.
We hope this paper gives architects and developers confidence that building secure software is useful, achievable work. We also hope that it will encourage productive conversations among architects, developers, and security folk, who in the end all want the same thing – what’s best for customers and the ecosystem. If you’re interested in learning more, please download the paper from the IEEE CSD site at cybersecurity.ieee.org, and be sure to follow us on Twitter @sfjacob and @ieeecsd.
* Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.