close search bar

Sorry, not available in this language yet

close language selection

The IEEE Computer Society Center for Secure Design

The IEEE Computer Society Center for Secure Design (CSD) has launched and released its first title: Avoiding the Top 10 Software Security Design Flaws.

The IEEE Computer Society Center for Secure Design (CSD) has officially launched! The first document created by the center is called Avoiding the Top 10 Software Security Design Flaws. This document explains the most common flaws identified at the initial CSD workshop held earlier this year. Everyone remember the difference between bugs and flaws?

After reading the IEEE CSD document, you will likely fall into one of three camps. Camp 1 knows about some of the identified flaws, but there is at least one flaw that they haven’t thoroughly thought about. Camp 2 knows about every flaw listed. Camp 3 hasn’t considered any of these flaws in the design of their software. But here’s the important point: No matter what camp you are in, it is possible, dare I say even likely, that you will design software with one or more of these flaws.

There are several reasons for this. Here are just a few:

  • Some of these flaws are just genuinely hard to get right all the time (e.g., using cryptography correctly).
  • We are human beings, and human beings make mistakes.
  • Design flaws can be hard to find or “see.”
  • Although many or all of these design flaws were thought about in the original design four years ago, after 20+ point releases, no one has looked at how the design has changed to incorporate those 20+ point releases.

Regardless of why these flaws occur, the IEEE CSD will be creating more artifacts to help you identify techniques to avoid the flaws.

Sound challenging? I agree. But if you’re interested in seeing if this problem can be solved, let the CSD know you want to get involved, and we’ll see how you can you help out with the future workload.

Jim DelGrosso

Posted by

Jim DelGrosso

Jim DelGrosso

Jim DelGrosso is a senior principal consultant at Synopsys. In addition to his overarching knowledge of software security, he specializes in architecture analysis, threat modeling, and secure design. Jim is the Executive Director for IEEE Computer Society Center for Secure Design (CSD). He also predicts that “OpenSSL will have at least one new vulnerability found in the next 12 months. You can pick the start date—it’s the ‘12 months’ that matters.” Jim relaxes and decompresses from work by playing with the dogs, listening to music, or just chilling out with a beer and a movie.

More from Security news and research