Data collection on security flaws caused by design errors
Abstract
Producing secure software is extremely hard to do right. The number of security flaws
and vulnerabilities discovered in software each day is increasing at high speed. According
to the National Vulnerability Database the number of vulnerabilities discovered in 2005
was 4859, more than twice the number of vulnerabilities discovered the year before.
One way to classify vulnerabilities is to classify them after when in the development
phase they are introduced.
Other phases like analysis (requirements), testing, or maintenance phase are also
sometimes used.
This thesis is a study of security related flaws with origin in the design phase. Such
flaws are rooted in the design of the software, and exist even if the programmer implements
the design perfectly making no mistakes in the programming. Security related
design flaws are a lot about how security mechanisms like authentication, authorization
and encryption are used and implemented, or how error handling is performed. Typical
examples of design flaws include weak encryption, missing or insufficient access control.