Google, Twitter and HP take the fight to the world’s top security flaws

Google, Twitter and HP are among 12 organisations that have formed a new group that aims to get to the bottom of the most critical security design flaws in modern software.

Related: Security flaws could give hackers control of power plants and oil rigs

The IEEE Centre for Secure Design [CSD] celebrated its launch by releasing a report entitled “Avoiding the Top 10 Software Security Design Flaws” that is based on data collected and analysed by the group of experts that have been assembled.

“The Center for Secure Design will play a key role in refocusing software security on some of the most challenging open design problems in security,” said Neil Daswani of the security engineering team at Twitter. “By putting focus on security design and not just focusing on implementation bugs in code, the CSD does even the most advanced companies in the space a huge service.”

IEEE CSD’s report is at pains to point out the fundamental difference between flaws and bugs, and that it is going further than simply eliminating bugs by solving problems in security design to target flaws.

“Bugs and flaws are two very different types of security defects,” said Gary McGraw, chief technology officer at Cigital. “We believe there has been quite a bit more focus on common bugs than there has been on secure design and the avoidance of flaws, which is worrying since design flaws account for 50 per cent of software security issues. The IEEE Center for Secure Design allows us a chance to refocus, to gather real data, and to share our results with the world at large.”

Personnel from the 12 different members have already taken part in a foundation workshop and it produced a list of 10 recommendations to help developers avoid the top security design flaws. These are:

  • Earn or give, but never assume, trust
  • Use an authentication mechanism that cannot be bypassed or tampered with
  • Authorize after you authenticate
  • Strictly separate data and control instructions, and never process control instructions received from untrusted sources
  • Define an approach that ensures all data are explicitly validated
  • Use cryptography correctly
  • Identify sensitive data and how they should be handled
  • Always consider the users
  • Understand how integrating external components changes your attack surface
  • Be flexible when considering future changes to objects and actors

The 12 founding members of the IEEE CSD are Athens University of Economics and Business, Cigital, EMC, George Washington University, Google, Harvard University, HP, Intel/McAfee, RSA, Sadosky Foundation, Ministry of Science, Technology and Productive Innovation of Argentina, Twitter, and the University of Washington.