Software Integrity Blog


The IEEE Computer Society Center for Secure Design

The IEEE Computer Society Center for Secure Design (CSD) has officially launched! The initial document created by the center is called Avoiding the Top 10 Software Security Design Flaws. This document represents the most common flaws identified at the initial CSD workshop held earlier this year. Everyone remember the difference between bugs and flaws? If not, get a refresher here.

After reading the CSD document, you will likely fall into one of three camps. Camp 1 knows about some of the identified flaws but there was at least one flaw that they haven’t thoroughly thought about. Camp 2 knows about every flaw listed. Camp 3 hadn’t considered any of these flaws in the design of their software. But here’s the important point, no matter what camp you are in, it is possible, dare I say even likely, that you will design software with one or more of these flaws.

There are several reasons for this:

  • Some of these flaws are just genuinely hard to get right all the time (e.g., Use cryptography correctly).
  • We are human beings, and human beings make mistakes.
  • Design flaws can be hard to find, or “see”.
  • Although many or all of these design flaws were thought about in the original design 4 years ago, after 20+ point releases, no one has looked at how the design has changed to incorporate those 20+ point releases
  • Etc.

Regardless of why these flaws occur, the CSD will be working on creating more artifacts to help you identify techniques to avoid the flaws.
Sound challenging? I agree. But if you’re interested in seeing if this problem can be solved, let the CSD know you want to get involved, and we’ll see if we can have you help out with the future workload.


More by this author