What Are Common Software Security Vulnerabilities?
Concept
Software security vulnerabilities are weaknesses in code, configuration, or system design that attackers can exploit to compromise confidentiality, integrity, or availability — the core tenets of information security (CIA triad).
The OWASP Top 10 is a widely recognized standard enumerating the most critical web application vulnerabilities. Every engineer should understand these risks to build secure and resilient systems.
1. Common Software Security Vulnerabilities
1. SQL Injection (SQLi)
Occurs when unvalidated user input is used to construct database queries, allowing attackers to manipulate SQL statements.
Example (safe for MDX):
# Vulnerable
query = "SELECT * FROM users WHERE username = '" + input + "'"
# Malicious input
' OR 1=1; --
Impact: Unauthorized data access, data modification, or full database compromise. Prevention: Use parameterized queries (prepared statements) and ORM frameworks.
2. Cross-Site Scripting (XSS)
Injecting malicious JavaScript into web pages viewed by other users.
Example (safe for MDX):
<input value="<script>alert('Hacked')</script>">
Impact: Cookie theft, session hijacking, defacement, phishing. Prevention: Output encoding (e.g., escaping HTML), input sanitization, and CSP (Content Security Policy).
3. Cross-Site Request Forgery (CSRF)
Tricks authenticated users into performing unintended actions on a web app.
Impact: Unauthorized fund transfers, password changes. Prevention: Anti-CSRF tokens, same-site cookies, and double-submit validation.
4. Broken Authentication and Session Management
Weak authentication flows or improperly managed sessions can lead to unauthorized access.
Examples:
- Storing passwords in plain text.
- Session IDs in URLs or unexpired cookies.
Prevention: Use strong password hashing (bcrypt, Argon2), implement short session lifetimes, and enforce MFA (Multi-Factor Authentication).
5. Insecure Deserialization
Occurs when untrusted data is deserialized without validation — attackers inject malicious serialized objects to execute code or escalate privileges.
Prevention: Avoid accepting serialized objects from untrusted sources, and use integrity checks or signing.
6. Security Misconfiguration
The most common real-world issue — defaults left unchanged or configurations exposing unnecessary services.
Examples:
- Default admin credentials.
- Verbose error messages revealing internal details.
- Open S3 buckets or API keys in public repositories.
Prevention:
- Harden configurations.
- Disable directory listings.
- Use configuration management tools like Ansible or Terraform with secure defaults.
7. Sensitive Data Exposure
Sensitive data (passwords, tokens, personal info) not properly protected in transit or storage.
Prevention:
- Always use HTTPS (TLS).
- Encrypt sensitive data at rest (AES-256).
- Avoid hardcoding secrets in source code; use secret managers (e.g., AWS Secrets Manager, Vault).
8. Using Components with Known Vulnerabilities
Relying on outdated libraries or frameworks introduces inherited security flaws.
Prevention:
- Regular dependency audits (e.g.,
npm audit,pip-audit). - Use vulnerability scanners (e.g., Snyk, Dependabot).
- Maintain patch management policies.
9. Insufficient Logging and Monitoring
Without proper logging and alerting, attacks can go undetected.
Prevention:
- Centralize logs (e.g., ELK Stack, CloudWatch).
- Monitor anomalies and failed login attempts.
- Define incident response playbooks.
10. Server-Side Request Forgery (SSRF)
Attackers manipulate server-side requests to internal resources.
Example:
GET /fetch?url=http://localhost:8080/admin
Impact: Data exfiltration, internal service access.
Prevention: Whitelist allowed domains and sanitize URLs.
2. OWASP Top 10 (2021 Summary)
| Category | Description |
|---|---|
| A01: Broken Access Control | Improper access enforcement |
| A02: Cryptographic Failures | Weak or missing encryption |
| A03: Injection | SQL, NoSQL, command injections |
| A04: Insecure Design | Flaws in architecture |
| A05: Security Misconfiguration | Unsafe system defaults |
| A06: Vulnerable Components | Outdated dependencies |
| A07: Identification Failures | Flawed authentication flows |
| A08: Software and Data Integrity Failures | Insecure updates, CI/CD flaws |
| A09: Security Logging Failures | Inadequate monitoring |
| A10: SSRF | Exploiting server-side request flaws |
3. Best Practices for Prevention
- Validate inputs — use allowlists and strong type checks.
- Sanitize outputs — encode user data before rendering.
- Principle of Least Privilege — restrict access rights.
- Secure dependencies — scan regularly for vulnerabilities.
- Apply defense in depth — combine authentication, encryption, and monitoring.
- Conduct security reviews and penetration testing.
- Follow OWASP guidelines and NIST recommendations.
4. Real-World Examples
| Vulnerability | Example Incident |
|---|---|
| SQL Injection | Sony Pictures breach (2011) |
| XSS | eBay and Yahoo exploited by injected scripts |
| Insecure Deserialization | Equifax data breach |
| Misconfiguration | AWS S3 bucket leaks |
| Outdated Components | Log4Shell (Log4j CVE-2021-44228) |
5. Developer Responsibility
Security is not just the security team’s job — developers must build secure code by design. Integrate security at every phase of SDLC:
- Code: Use static analysis (SAST) tools.
- Build: Automate dependency checks.
- Deploy: Enforce least privilege.
- Monitor: Detect and respond to incidents quickly.
Interview Tip
- Cite OWASP Top 10 and describe how you’ve mitigated one in practice (e.g., using prepared statements for SQLi).
- Emphasize secure coding habits and use of security scanners (like SonarQube, Snyk).
- Mention how DevSecOps integrates security into the CI/CD pipeline.
Summary Insight
Security vulnerabilities are not just code defects — they are systemic weaknesses that invite exploitation. Proactive prevention, continuous monitoring, and security-aware development are the hallmarks of professional engineering.