Top 25 Most Dangerous Bugs
SANS recently published a list of the 25 most dangerous programming errors. The list is pretty comprehensive and covers things ranging from not validating input to using insecure cryptographic algorithms. This list is interesting not because the bugs are common or difficult to test, but rather because each of these bugs can produce catastrophic consequences if left unfixed.
Any software tester should find this list interesting, but one might want to ask if this list is always important? Bugs that impact security are relevant to Internet applications, but are they relevant to other things like games? The answer is, as always, “it depends.” However, poor security can be a problem in all kinds of places. For instance, a bug could allow access to protected media in a game or make it easier to compromise other related applications.
Good testers should always look out for bad security. Even if the danger is low in one particular product, testers can be very influential in helping developers improve their coding and protect against more serious bugs in other products.
This is a great overview of common security issues which I believe all testers can learn from. Just put them on your testing list and you could ensure a better quality product with a reduced (preferred none off-course) security issues.
Bernard.
Poor security is one aspect of bad software design and configuration and should be part of every product design and obviously part of the testing cycles…
[...] Stanton blogged about the Top 25 list around this time last year, noting that although it was comprehensive, it lacked meaningful context for testers. It appears that his feedback was incorporated into the 2010 version. Writes Kelly Jackson Higgins: SANS’ annual list had been criticized by security experts as more of a laundry list rather than offering a solution, but this year the list came with so-called “focus profiles” that broke the programming errors into groups based on categories of weaknesses and also provided mitigation information. The list is in order of priority this year, with failure to preserve Web page structure (think cross-site scripting) as No. 1, and race condition mistakes as No. 25. [...]