Identify Sensitive Data and How They Should be Handled
Data are critical to organizations and to users. One of the first tasks that systems designers must do is identify sensitive data and determine how to protect it appropriately. Many…
2015
Use Cryptography Correctly
Cryptography is one of the most important tools for building secure systems. Through the proper use of cryptography, one can ensure the confidentiality of data, protect data from unauthorized modification,…
Define an Approach that Ensures All Data are Explicitly Validated
Software systems and components commonly make assumptions about data they operate on. It is important to explicitly ensure that such assumptions hold: Vulnerabilities frequently arise from implicit assumptions about data,…
Strictly SeparateData and Control Instructions, and Never Process Control Instructions Received from Untrusted Sources
Co-mingling data and control instructions in a single entity, especially a string, can lead to injection vulnerabilities. Lack of strict separation between data and code often leads to untrusted data…
Authorize After You Authenticate
While it is extremely important to assess a user’s identity prior to allowing them to use some systems or conduct certain actions, knowing the user’s identity may not be sufficient…
Use an Authentication Mechanism that Cannot be Bypassed or Tampered With
Authentication is the act of validating an entity’s identity. One goal of a secure design is to prevent an entity (user, attacker, or in general a “principal”) from gaining access…
Earn or Give, but Never Assume, Trust
Software systems comprising more than just a single monolithic component rely on the composition and cooperation of two or more software tiers or components to successfully accomplish their purpose. These…
Avoiding the Top 10 Software Security Design Flaws
Most software that has been built and released typically comes with a set of defects — implementation bugs and design flaws. To date, there has been a larger focus on finding implementation bugs rather than on identifying flaws.
The Institute Special Report on Cybersecurity
Special Report: Cybersecurity The March issue of The Institute features in-depth articles on the IEEE Cybersecurity Initiative, such as resources, career advice and conferences to watch. Read more
IEEE S&P Call for Papers on Real World Cryptography
Special Issue on Real-World Cryptography Articles due to ScholarOne: 2 May 2016 Publication date: November/December 2016 Author guidelines: www.computer.org/web/peer-review/magazines Cryptography is simultaneously one of the most theoretical areas of computer…