Note: This page is part of the us-cert.gov archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

Note: This page is part of the us-cert.gov archive.

This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

Guidelines Overview

Original release date: June 20, 2013 Author(s): William L. Fithen Maturity Levels and Audience Indicators: L4  / D/P  SDLC Life Cycles: Implementation  Copyright: Copyright © Carnegie Mellon University 2005-2012.

Abstract

All systems have vulnerabilities, either in the technology from which they are constructed or in the behaviors of the people who use them.

Introduction

The Build Security In Guidelines is a taxonomy of mid-level engineering concerns that were derived from the vulnerability database accumulated by the CERT® Coordination Center over its 15-year history. In general, these concerns are less abstract than the Build Security In Principles—which are intended to be enduring top-level concerns—and more abstract than the Build Security In Coding Rules—which are intended to be precise, specific implementation advice.

The Taxonomy

  1. Assume that Human Behavior Will Introduce Vulnerabilities into Your System

  2. Assume that Technology Will Contain Vulnerabilities

    1. Follow the Rules Regarding Concurrency Management

    2. Design Configuration Subsystems Correctly and Distribute Safe Default Configurations

    3. Carefully Study Other Systems Before Incorporating Them into Your System Through Delegation

    4. If Emulation of Another System Is Necessary, Ensure that It Is as Correct and Complete as Possible

    5. Handle All Errors Safely

    6. Validate All Input as Precisely as Possible

      1. Ensure that Input Is Properly Canonicalized

      2. Be Suspicious about Trusting Unauthenticated External Representation of Internal Data Structures

      3. Do Not Use the "%n" Format String Specifier

      4. Treat the Entire Inherited Process Context as Unvalidated Input

      5. Never Use Unvalidated Input as Part of a Directive to any Internal Component

    7. Use All Security Mechanisms Correctly

      1. Use Authentication Mechanisms, Where Appropriate, Correctly

      2. Use Authorization Mechanisms Correctly

      3. Use Well-Known Cryptography Appropriately and Correctly

    8. Do Not Allow Your System to Ever Use or Depend on Language Behaviors that Are "Undefined"

      1. Ensure that the Bounds of No Memory Region Are Violated

      2. Clear Discarded Storage that Contained Secrets and Do Not Read Uninitialized Storage

      3. Do Not Perform Arithmetic with Unvalidated Input

Description

In every phase of a system's development, under particular conditions, features added—or omitted—can introduce security vulnerabilities. To produce a safe and secure system, the competent, security-conscious engineer must

  • learn the meaning of software assurance and be knowledgeable in the practice of supporting techniques,

  • recognize the security implications of all functional requirements,

  • recognize the security implications of missing requirements,

  • recognize emergent behaviors in the system that have security implications,

  • recognize the implications of an evolving deployment environment on the system,

  • translate those implications into additional system requirements,

  • design features to meet those requirements,

  • recognize the security implications of the included and omitted features,

  • add, modify, or remove features accordingly,

  • recognize the security implications of the system's implementation,

  • correct any defects in the implementation,

  • understand how to test the system for compliance with security requirements, and

  • be able to use software assurance techniques to demonstrate the assurance attributes of the system.

A failure in any of these, and more, can leave the system with security vulnerabilities.

Copyright © Carnegie Mellon University 2005-2012.

This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission.  Permission is required for any other use.  Requests for permission should be directed to the Software Engineering Institute at permission@sei.cmu.edu.

The Build Security In (BSI) portal is sponsored by the U.S. Department of Homeland Security (DHS), National Cyber Security Division. The Software Engineering Institute (SEI) develops and operates BSI. DHS funding supports the publishing of all site content.

NO WARRANTY

THIS MATERIAL OF CARNEGIE MELLON UNIVERSITY AND ITS SOFTWARE ENGINEERING INSTITUTE IS FURNISHED ON AN “AS-IS" BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.