草榴社区

Half of the software-related security defects that provide entry to threat agents aren’t bugs found in code; rather, they’re flaws embedded in software design. The  brought together some of the foremost experts in software security in a working group to tackle the issue of secure software design.

Based on their findings, here are 10 powerful do’s and don’ts examining the most common software security flaws.

1. Earn or give trust, but never assume it.

• Do make sure all data from an untrusted client are validated.
• Do assume data are compromised.
• 顿辞苍’迟 use authorization, access control, policy enforcement, and use of sensitive data in client code.

2. Use an authentication mechanism that can’t be bypassed.

• Do prevent users from changing identity without re-authentication after they’re authenticated.
• Do consider the strengths of the user’s provided authentication before taking action.
• Do make use of timeouts.
• 顿辞苍’迟 stray past the big three: something you know, something you have, and something you are
• 顿辞苍’迟 share resources like IP numbers and MAC addresses.
• 顿辞苍’迟 use predictable tokens.

3. Authorize after you authenticate.

• Do perform authorization as an explicit check.
• Do reuse common infrastructure for conducting authorization checks.
• 顿辞苍’迟 forget that authorization depends on the context of the request, not just a given set of privileges.

4. Strictly separate data and control instructions, and never process control instructions received from untrusted sources.

• Do utilize hardware capabilities to enforce separation of code and data.
• Do know and use appropriate compiler/linker security flags.
• Do expose methods or endpoints that consume structured types.
• 顿辞苍’迟 co-mingle data and control instructions in a single entity.
• 顿辞苍’迟 use APIs prone to injection such as XSS, SQL injection, and shell injection.
• 顿辞苍’迟 use (eval).

5. Define an approach that ensures all data are explicitly validated.

• Do ensure that comprehensive data validation actually takes place.
• Do use whitelisting.
• Do use a centralized validation mechanism and canonical data forms.
• Do make security review of the validation scheme possible.
• 顿辞苍’迟 make assumptions about data.
• 顿辞苍’迟 use blacklisting.
• 顿辞苍’迟 use strings.

6. Use cryptography correctly.

• Do use standard algorithms and libraries.
• Do centralize and reuse.
• Do design for crypto agility.
• Do get help from real experts.
• 顿辞苍’迟 roll your own crypto. It’s too hard to get it right.
• 顿辞苍’迟 ignore key management issues.
• 顿辞苍’迟 implement nonrandom “randomness.”

7. Identify sensitive data and how they should be handled.

• Do know where your sensitive data are.
• Do classify your data into categories.
• Do consider data controls such as file, memory, and database protection.
• Do plan for change over time.
• 顿辞苍’迟 forget that data sensitivity is often context-sensitive.
• 顿辞苍’迟 mistake confidentiality for data protection.
• 顿辞苍’迟 ignore trust boundaries.

8. Always consider the users.

• Do think about deployment, configuration, use, and updates.
• Do know that security is an emergent property of the system.
• Do consider user culture, experience, biases, etc.
• Do make things secure by default.
• 顿辞苍’迟 treat security as a feature.
• 顿辞苍’迟 impose too much security.
• 顿辞苍’迟 assume users care about security.
• 顿辞苍’迟 let users make security decisions.

9. Understand how integrating external components changes your attack surface.

• Do test your components for security.
• Do include external components and dependencies in review.
• Do isolate components.
• Do keep an eye out for public security information about components.
• 顿辞苍’迟 forget that composition is dangerous.
• 顿辞苍’迟 underestimate the amount of security risk that can be inherited.
• 顿辞苍’迟 assume open source is secure.
• 顿辞苍’迟 trust until you have applied and reviewed controls.