The 25 Most Dangerous Software Errors of 2011

Posted on 07/06/2011 in Testing Trends, uTest Stuff by Mike Brown

Every year, the fine folks over at Common Weakness Enumeration (CWE) team up with the SANS Institute, MITRE and other experts to publish a list of the 25 most dangerous software errors. The best thing about the list (aside from the fact that it’s free) is that it offers something for everyone, including developers, project managers, customers, and yes, even software testers.

You would be wise to read the report in its entirety, but I wanted to highlight a few key points and give you a preview of the errors that made this year’s list. To start, here’s an important excerpt written for the software customer (i.e. end user):

Recognize that market pressures often drive vendors to provide software that is rich in features, and security may not be a serious consideration. As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you. For the software products that you use, pay close attention to publicly reported vulnerabilities in those products. See if they reflect any of the associated weaknesses on the Top 25 (or your own custom list), and if so, contact your vendor to determine what processes the vendor is undertaking to minimize the risk that these weaknesses will continue to be introduced into the code.

Of course, software testers play a key role in minimizing this risk – a point that is certainly not lost on publishers of this report, who have included dozens of technical links and tips for testers who want to find such errors.

So what are the worst software errors of 2011? Glad you asked. Here are the top ten (after the jump)

  1. Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  2. Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  3. Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  4. Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  5. Missing Authentication for Critical Function
  6. Missing Authorization
  7. Use of Hard-coded Credentials
  8. Missing Encryption of Sensitive Data
  9. Unrestricted Upload of File with Dangerous Type
  10. Reliance on Untrusted Inputs in a Security Decision

After reading the entire list, do think you think any of the errors have been overstated, understated or missed completely? As always, your thoughts and feedback and welcomed in the comments section.

4 Responses to “The 25 Most Dangerous Software Errors of 2011”

  1. Chris K said:

    There’s a lot of really good information for software testers. For example you can look at Technical Details and Examples of the exploits and then figure out how to incorporate these into your test cases.

    Posted on 07/06/2011 at 2:34 pm
  2. MIke said:

    Agreed Chris…it’s like a cheat sheet for software testers. If nothing else, it should spark some new ideas on where to focus.

    Posted on 07/06/2011 at 3:57 pm
  3. Howard Rubin said:

    #9, Unrestricted Upload of File with Dangerous Type, I have been seeing this allot in the software I’ve been testing… it’s now first on my list to test.

    Posted on 07/06/2011 at 8:13 pm
  4. Tahmeed said:

    # 9 is really something which never came to my mind…..feel like a fool…dis is really an interesting article.

    Posted on 07/11/2011 at 4:07 am

Leave a Reply

Agile Testing with uTest
uTest vs Outcourcing
uTest - Trulia Report
uTest - Web App Testing