There are two basic kinds of problems in the realm of software security, Gary McGraw, CTO of Cigital Inc., recently said. "As a discipline, software security or application security has tended to focus on fixing bugs." And bugs -- things like cross-site scripting and buffer overwrites -- are half of the problem. The other half, however, is about design flaws, said McGraw, who is a top expert in the field of secure coding. Software development design flaws "aren't issues that are in the code -- in the sense that they're not on line 47 -- but they're about the way the code itself is designed, or the way the framework is designed."
In this interview, recorded at the 2015 RSA Conference, SearchSecurity editorial director Robert Richardson sat down with McGraw to discuss flaws, how to avoid them and the role that the IEEE Center for Secure Design might play in there being fewer architectural flaws in future software.
Examples of software development design flaws include things like forgetting to authenticate the user -- an error of omission you won't find by looking at the code -- or a client-server transaction that doesn't protect itself from man-in-the-middle attacks. "These are design-level concerns," McGraw said, "that have to do with data flow, that have to do with components and the way that they talk to each other, that have to do with trust boundaries and authorization versus authentication.
"What we found out [at a meeting of the IEEE group] was that everybody has the same sorts of flaws." What this means, McGraw argued, was that companies could see where those categories of flaws applied to their organizations, and could then tailor their practices to make it harder to make those mistakes.
"The problem won't be solved if we just get rid of bugs," McGraw said. There are some vendors who claim that if you look for 10 bugs and you don't find them, your system is safe … but that's silly. We want to elevate the conversation and make sure we don't have a myopic focus on hunting for bugs."