Another Top 10 list — really?
Yes. This really is another Top 10 list, but it is different when compared to other lists related to software security defects. Many of the existing Top N lists (OWASP Top Ten, CWE/SANS Top 25) mix implementation or coding bugs with design flaws. This list focuses exclusively on security-related design flaws. Additionally, the observations highlighted here include the results of internal design reviews of systems by many of the Center for Secure Design member organizations; a number of the Top 10 design flaws were caught during that internal review. Bottom line: many instances of these design flaws never went public, so they could never be counted in a Top N list based on disclosed vulnerabilities.
Is this list a bunch of things that I should not do?
No. The participants of the Center for Secure Design discussed this exact topic and decided to present design choices and advice to be considered and/or followed — not avoided.
If I do everything in this list, will my software be free of design flaws?
Unlikely. Each design flaw identified in this list does not document EVERYTHING that needs to be considered to avoid that particular flaw. Also, more than 10 design flaws exist in the world. However, if your software is designed to address these top 10 design flaws, you are on the right path.
Why is the IEEE taking an interest in secure software development?
The IEEE Computer Society’s cybersecurity initiative, which launched in 2014, aims to do more than just take an interest in security, secure software, software security, or other buzzwords that start with S. The Center for Secure Design is one aspect of the initiative. We also plan to examine a building code for security critical software, tackle computer security curriculum, and other fun hard problems.
How can this Top 10 list help me write more secure software?
One way to improve your knowledge is to understand mistakes made by others. This list of common design flaws provides some of that knowledge base — common mistakes that top firms have detected, coupled with descriptions of how to identify the flaws, so these mistakes (or design flaws) can be avoided.
Can more people get involved or is the CSD restricted to the original contributors?
The IEEE is a global organization and open to the public. Join us! If you want to get involved, follow us on Twitter: @ieeecsd.