Every year, the fine folks over at Common Weakness Enumeration (CWE) team up with the SANS Institute, MITRE and other experts to publish a list of the 25 most dangerous software errors. The best thing about the list (aside from the fact that it’s free) is that it offers something for everyone, including developers, project managers, customers, and yes, even software testers.
You would be wise to read the report in its entirety, but I wanted to highlight a few key points and give you a preview of the errors that made this year’s list. To start, here’s an important excerpt written for the software customer (i.e. end user):
Recognize that market pressures often drive vendors to provide software that is rich in features, and security may not be a serious consideration. As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you. For the software products that you use, pay close attention to publicly reported vulnerabilities in those products. See if they reflect any of the associated weaknesses on the Top 25 (or your own custom list), and if so, contact your vendor to determine what processes the vendor is undertaking to minimize the risk that these weaknesses will continue to be introduced into the code.
Of course, software testers play a key role in minimizing this risk – a point that is certainly not lost on publishers of this report, who have included dozens of technical links and tips for testers who want to find such errors.
So what are the worst software errors of 2011? Glad you asked. Here are the top ten (after the jump)
- Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
- Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
- Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
- Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
- Missing Authentication for Critical Function
- Missing Authorization
- Use of Hard-coded Credentials
- Missing Encryption of Sensitive Data
- Unrestricted Upload of File with Dangerous Type
- Reliance on Untrusted Inputs in a Security Decision
After reading the entire list, do think you think any of the errors have been overstated, understated or missed completely? As always, your thoughts and feedback and welcomed in the comments section.