Manage Learn to apply best practices and optimize your operations.

McGraw: IEEE helps find software development design flaws

There are two basic kinds of problems in the realm of software security, Gary McGraw, CTO of Cigital Inc., recently said. "As a discipline, software security or application security has tended to focus on fixing bugs." And bugs -- things like cross-site scripting and buffer overwrites -- are half of the problem. The other half, however, is about design flaws, said McGraw, who is a top expert in the field of secure coding. Software development design flaws "aren't issues that are in the code -- in the sense that they're not on line 47 -- but they're about the way the code itself is designed, or the way the framework is designed."

In this interview, recorded at the 2015 RSA Conference, SearchSecurity editorial director Robert Richardson sat down with McGraw to discuss flaws, how to avoid them and the role that the IEEE Center for Secure Design might play in there being fewer architectural flaws in future software.

Examples of software development design flaws include things like forgetting to authenticate the user -- an error of omission you won't find by looking at the code -- or a client-server transaction that doesn't protect itself from man-in-the-middle attacks. "These are design-level concerns," McGraw said, "that have to do with data flow, that have to do with components and the way that they talk to each other, that have to do with trust boundaries and authorization versus authentication.

"What we found out [at a meeting of the IEEE group] was that everybody has the same sorts of flaws." What this means, McGraw argued, was that companies could see where those categories of flaws applied to their organizations, and could then tailor their practices to make it harder to make those mistakes.

"The problem won't be solved if we just get rid of bugs," McGraw said. There are some vendors who claim that if you look for 10 bugs and you don't find them, your system is safe … but that's silly. We want to elevate the conversation and make sure we don't have a myopic focus on hunting for bugs."

View All Videos

Conference Coverage

RSA Conference 2015 special coverage: News, analysis and video

Join the conversation


Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

How should organizations that develop their own software combat software development design flaws?
He's so right about design flaws, and it isn't even just about the design of how the architecture of code is, it should include considering network concerns, and reducing vectors for attack.







  • CIO Trends #6: Nordics

    In this e-guide, read how the High North and Baltic Sea collaboration is about to undergo a serious and redefining makeover to ...

  • CIO Trends #6: Middle East

    In this e-guide we look at the role of information technology as the Arabian Gulf commits billions of dollars to building more ...

  • CIO Trends #6: Benelux

    In this e-guide, read about the Netherlands' coalition government's four year plan which includes the term 'cyber' no fewer than ...