Thursday, February 9, 2017

Top 10 Design Flaws in the Software/Applications

Application/Software carries many vulnerabilities, weaknesses and issues at their source code and deployment layer. OWASP Top 10 defines top 10 vulnerabilities/issues for web applications but those are subset of some underlying design issues.  Also, some of the vulnerabilities arising from these design issues are not covered by top 10 or other standards. Recently “IEEE Center for Security Design” came up with interesting paper where they have lined up top 10 design issues.

You can read it over here - https://www.computer.org/cms/CYBSI/docs/Top-10-Flaws.pdf

Here is the higher level view of 10 design issues -

1. Earn or give, but never assume, trust.
2. Use an authentication mechanism that cannot be bypassed or tampered with.
3. Authorize after you authenticate.
4. Strictly separate data and control instructions, and never process control instructions received from un-trusted sources.
5. Define an approach that ensures all data are explicitly validated.
6. Use cryptography correctly.
7. Identify sensitive data and how it should be handled.
8. Always consider the users.
9. Understand how integrating external components changes your attack surface.
10. Be flexible when considering future changes to objects and actors.

It is imperative to thoroughly analyze application from proper pen-testing or manual review which helps in identifying many of the above issues. Advanced issues and technologies are complex in nature and it is not possible for automated scanning be it DAST, SAST or IAST to discover some of these critical issues. Blind trust on Artificial Intelligence (automated engines) may lead to sense of security but these design controls and vulnerabilities arising from it needs human intelligence for meaningful discovery.