Programs Design Is No. 1 Cause for Flaws

SAN JOSE, Calif.–The vast majority of software vulnerabilities are caused by flaws in the programs design and could be prevented easily with better coding and quality-control procedures, according to new research released Tuesday by a security consulting firm.

The research, conducted by @stake Inc., of Cambridge, Mass., also shows that 47 percent of those vulnerabilities are easily exploitable by attacks that could cause significant damage to a vulnerable corporate network.

The company analyzed 45 e-business applications and found that the most secure of them had several things in common: a design focus on user authentication and authorization; mistrust of user input; end-to-end session encryption; and security quality assurance, among other things.

But the main differentiator between the more secure applications and the weaker ones is a pervasive security effort throughout the development process, said Dan Geer, chief technology officer of @stake.

“Most of the problems are in the software design,” Geer said. “Design flaws are so pervasive. These applications are vulnerable to hostile input from things like buffer overflow attacks. If you as a developer dont anticipate that, whats wrong with you?”

The new research report, titled “The Security of Applications: Not All Created Equal,” is based on data drawn from @stakes consulting engagements with hundreds of customers.

Geer added that he believes the application layer is the next frontier for attackers, and by extension, security administrators.

“The network [security] guys have done about all they can do with firewalls, IDS, anti-virus and that stuff,” Geer said. “Application security is the next arena because if I can do something to you by making your applications do it for me, thats a lot cheaper and easier than attacking your crypto or something like that.”

Whats needed now is an industrywide focus on preventing security vulnerabilities by improving coding and software design practices, he said.

“Wouldnt you rather have a process that stamps out problems in the design phase rather than a patch system?” Geer said.