You are here ITU > Home > ITU-T > Study Groups > Study Group 17 > Safe and secure programs
Share
This paper presents a list of suggestions on how to avoid the most common pitfalls that make software less secure or Less safe than it should be. It is addressed to software developers and covers the phases of software design, implementation, and testing. It focuses on network application programs, but many of the suggestions are equally valid for other kinds of software.
Download the Document ( MS-Word )
Table of Contents
Introduction Design Design with security and safety in mind Design for quality Use formal methods and languages Limit software complexity Ensure that all the operations (both normal and exceptional) in your application are safe and secure Use only well-known cryptographic algorithms Don't assume that you can increase security by keeping the source code of your algorithms hidden Don't rely on the users of your application to select the appropriate (more secure) security settings Verify exchanged digital certificates and involve the user as much as possible in this process Limit the internal data redundancy and manage the existing redundancy Implementation Ensure that the program doesn't try to read or write data outside an allocated memory block (buffer overflow) Ensure that all resource allocation errors are detected and handled Ensure that the program's stack never overflows Check boundary conditions Use tools for checking the correctness of the program's code Limit use of privileged modes during program execution When processing an input message, check that the message can be safely decoded and that its contents are valid When processing an input message, limit the resources (memory, disk space, CPU time) used for the message. Make generous use of assertions in your code Use restrictive language features extensively Compile with the highest warning level Testing Use system-stress simulation techniques during program testing Use a multiprocessor computer during program testing Ensure that the entire program code is executed during program testing Resources
Introduction
Design
Implementation
Testing
Resources
Contact for comment/discussion:
