Secure software design tips


Avoiding the top 10 software security design flaws is a document published as part of the IEEE Computer Society cybersecurity initiative.  IEEE Computer Society Center for Secure Design. The Center intends to shift some of the focus in security from finding bugs to identifying common design flaws in the hope that software architects can learn from others’ mistakes.

In early 2014 workshop participating experts arrived at a list they felt were the top security design flaws. Many of the flaws that made the list have been well known for decades, but continue to persist. Avoiding the top 10 software security design flaw document is the result of that discussion—and how to avoid the top 10  security flaws. In this document, a group of software security professionals have contributed both real-world data and expertise to identify some of the most significant design flaws that have led to security breaches over the past several years. The list of issues presented here is focused entirely on the most widely and frequently occurring design flaws

Because the authors, contributors, and publisher are eager to engage the broader community in open discussion, analysis, and debate regarding a vital issue of common interest, this document is distributed under a Creative Commons BY-SA license.

1 Comment

  1. Tomi Engdahl says:

    Veracode gets $40M to help companies find security holes in their applications

    Veracode’s service hooks into the development tools used by coders so that its cloud-based system can scan their application for vulnerabilities or bugs in the code.

    What makes Veracode different than the recent torrent of security startups that have been raising cash is how its technology aims to strengthen the development process of applications rather than providing network-monitoring services like RiskIQ or identity management features like Okta. Brennan said he believes that many of the security breaches today occur by taking advantage of holes in the design and source code of the application itself, especially as these apps are dealing with lots of data flowing in and out.

    “The world views of security and development are different; one is focussed on building things and one is focussed on monitoring,” Brennan said.

    After scanning the application, Veracode can tell whether or not a development team has been introducing SQL injection errors and other common security bugs. It then reports that information back to the developers so that they can properly patch up their system.

    “We run the program to tell them what has been remediated and what hasn’t,”


Leave a Comment

Your email address will not be published. Required fields are marked *