Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
10 Common Software Security Design Flaws
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/28/2014 | 3:51:35 PM
Re: Secure Software Design
Great perspective, @GonzSTL. The go-to-market/release pressures are the biggest issue with much of app development, for sure. But you raise another good point about a lack of oversight and enforcement of good secure coding practices.
GonzSTL
50%
50%
GonzSTL,
User Rank: Ninja
8/28/2014 | 2:22:29 PM
Secure Software Design
I received my CompSci degree quite a while back, and even then, the practice of input validation and communication comparmentalization was stressed in all my programming classes. My involvement in IT throughout the years encompasses software development, network architecture, server infrastructure, storage architecture, desktop standardization, virtualization, etc., so I can pretty much see things from a broad picture as well as from individual areas. In all those IT domains, the vast majority of exploits come from software design security flaws, and secondly, improper configurations.

What I believe is that there is tremendous pressure to deliver applications and technology, and sometimes that leads to shortcuts or bypassing certain aspects of development. If security considerations are part of the whole development process, and rigidly enforced from inception to delivery, then perhaps we would see a dramatic drop in exploitable software flaws. The question is, why are the shortcuts and bypasses allowed, and who allows them? Improper oversight seems to be the culprit, either due to lacck of knowledge or understanding, or faulty risk management in the development process. Simply stated, security considerations should be enforced from beginning to end.
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
8/28/2014 | 11:35:27 AM
Re: Nah
Good point about the Mitre, OWASP and other models. What I thought was particularly interseting with the IEEE report was that the recommendations come from real-world design flaws the participants themselves experienced -- Twitter, Google, etc. 
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
8/28/2014 | 11:18:44 AM
Re: Nah
I must disagree with your assessment wholeheartedly. I can tell you from direct experience that secure coding practices are not taught in our colleges currently. What that leads to is developers who don't understand the importance of using stored procedures and prepared statements. This in turn leads to applications which have easily preventable vulnerabilities.


Secure coding will not fix all vulnerabilities but if done correctly it will prevent known vulnerabilities such as SQL injection or XSS from making its way into future applications.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/28/2014 | 9:34:21 AM
Re: Nah> "little value can come from this conversation"
Well said,  @Stratustician. Narrowing down the field of code vulnerabiliies is definitely a valuable endeavor. 
Stratustician
50%
50%
Stratustician,
User Rank: Moderator
8/28/2014 | 9:25:10 AM
Re: Nah> "little value can come from this conversation"
I think there is definitely some value with really reminding folks that security is closely tied to application development.  While yes, many flaws will come up as part of a security attack, if you have strong code at the onset, especially if groups like these industry folks are able to start to identify "here are where we are seeing code vulnerabilities", it will hopefully lead to better code overall for these applications and reduce the risks.  You can't eliminate every potential threat, but at least you've narrowed the attack field by closing known vulnerabilities.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
8/28/2014 | 8:16:02 AM
Re: Nah> "little value can come from this conversation"
@anon9106759839 -- Are you saying that there is no significant relationship between security and appdev? Or that the conversation will not lead to a viable solution. 
anon9106759839
50%
50%
anon9106759839,
User Rank: Apprentice
8/27/2014 | 6:51:54 PM
Nah
Big names, but little value can come from this conversation.

Application security problems stem from attacks. MITRE CAPEC describes the underlying model for attacks, while PTES, OSSTMMv4, and OWASP guides such as the Testing Guide and ASVS 2.0 standards cover the open methods.

There are also models (CWE) and methods (OWASP Dev Guide, SAFEcode, Microsoft SDL, etc) for building secure software, but this is where security and appdev activities are split.

On Twitter, someone important today said, "a design flaw is a property of the design that allows an attacker to violate one of your security objectives".
<<   <   Page 2 / 2


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/9/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Mobile App Fraud Jumped in Q1 as Attackers Pivot from Browsers
Jai Vijayan, Contributing Writer,  7/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15105
PUBLISHED: 2020-07-10
Django Two-Factor Authentication before 1.12, stores the user's password in clear text in the user session (base64-encoded). The password is stored in the session when the user submits their username and password, and is removed once they complete authentication by entering a two-factor authenticati...
CVE-2020-11061
PUBLISHED: 2020-07-10
In Bareos Director less than or equal to 16.2.10, 17.2.9, 18.2.8, and 19.2.7, a heap overflow allows a malicious client to corrupt the director's memory via oversized digest strings sent during initialization of a verify job. Disabling verify jobs mitigates the problem. This issue is also patched in...
CVE-2020-4042
PUBLISHED: 2020-07-10
Bareos before version 19.2.8 and earlier allows a malicious client to communicate with the director without knowledge of the shared secret if the director allows client initiated connection and connects to the client itself. The malicious client can replay the Bareos director's cram-md5 challenge to...
CVE-2020-11081
PUBLISHED: 2020-07-10
osquery before version 4.4.0 enables a priviledge escalation vulnerability. If a Window system is configured with a PATH that contains a user-writable directory then a local user may write a zlib1.dll DLL, which osquery will attempt to load. Since osquery runs with elevated privileges this enables l...
CVE-2020-6114
PUBLISHED: 2020-07-10
An exploitable SQL injection vulnerability exists in the Admin Reports functionality of Glacies IceHRM v26.6.0.OS (Commit bb274de1751ffb9d09482fd2538f9950a94c510a) . A specially crafted HTTP request can cause SQL injection. An attacker can make an authenticated HTTP request to trigger this vulnerabi...