How Secure Is Your Software Design?

How Secure Is Your Software Design?

Software security is a serious issue in this present age, and must be taken seriously by programmers, but the question is now seriously do we take it especially in our part of the world, where we are gradually making a name for ourselves in software design. Google is just getting to recognize and identify with our IT industry which is growing rapidly. If we don’t want to die out before we ever get on our feet, then we must start well and start strong, and software security is one of those issues that must be taken seriously, especially in web-designing and web based programming, where  you software can be accessed by anyone from anywhere.

 

To help in this area, the Common Weaknesses Enumeration (CWE), a programmers community developed collection of software weaknesses is an awesome place to start. Their documentations are open source and prepared by the experts in the industry. CWE is sponsored by the Cyber security division of the  U.S. Department of Homeland Security

 

They cover software weaknesses by category, platform (JAVA, C, WEB) and others, which are updated regularly. The documentation lists errors, how they can be capitalized upon by hackers to jeopardize the integrity of the software, and most importantly steps to take to avoid them.

 

The latest version of the document released on 1st June 2011 can be found here. Some of the errors listed in the document are highlighted bellow

CWE-5: J2EE Misconfiguration: Data Transmission Without Encryption

Summary

Information sent over a network can be compromised while in transit. An attacker may be able to

read/modify the contents if the data are sent in plaintext or are weakly encrypted.

Potential Mitigations

The application configuration should ensure that SSL or an encryption mechanism of equivalent

strength and vetted reputation is used for all access-controlled pages.

 

 

CWE-6: J2EE Misconfiguration: Insufficient Session-ID Length:

Summary

The J2EE application is configured to use an insufficient session ID length.

Extended Description

If an attacker can guess or steal a session ID, then he/she may be able to take over the user’s

session (called session hijacking). The number of possible session IDs increases with increased

session ID length, making it more difficult to guess or steal a session ID.

Potential Mitigations

Session identifiers should be at least 128 bits long to prevent brute-force session guessing. A

shorter session identifier leaves the application open to brute-force session guessing attacks.

 

CWE-7: J2EE Misconfiguration: Missing Custom Error Page

Summary

The default error page of a web application should not display sensitive information about the

software system.

Extended Description

A Web application must define a default error page for 4xx errors (e.g. 404), 5xx (e.g. 500) errors

and catch java.lang.Throwable exceptions to prevent attackers from mining information from the

application container’s built-in error response.

Potential Mitigations

Handle exceptions appropriately in source code.

Always define appropriate error pages.

Do not attempt to process an error or attempt to mask it.

Verify return values are correct and do not supply sensitive information about the system.

 

Other issues include:

CWE-18: Source Code

CWE-20: Improper Input Validation

CWE-21: Patname Traversal and Equivalence Errors

Total of 863 issues

 

The document also contains a Dictonary of issues based on platform (CWE-2000)

 

Another helpful document on the website is a list of the top 25 software errors, which I think is a good place to start.

 

To all programmers in the house, let’s strive for excellent and secure software design.

 

Share this post

Leave a Reply