Data collection on security flaws caused by design errors

Abstract

Producing secure software is extremely hard to do right. The number of security flaws and vulnerabilities discovered in software each day is increasing at high speed. According to the National Vulnerability Database the number of vulnerabilities discovered in 2005 was 4859, more than twice the number of vulnerabilities discovered the year before. One way to classify vulnerabilities is to classify them after when in the development phase they are introduced. Other phases like analysis (requirements), testing, or maintenance phase are also sometimes used. This thesis is a study of security related flaws with origin in the design phase. Such flaws are rooted in the design of the software, and exist even if the programmer implements the design perfectly making no mistakes in the programming. Security related design flaws are a lot about how security mechanisms like authentication, authorization and encryption are used and implemented, or how error handling is performed. Typical examples of design flaws include weak encryption, missing or insufficient access control.