Call Us: US - +1 845 478 5244 | UK - +44 20 7193 7850 | AUS - +61 2 8005 4826


Software security is becoming increasingly important due to the numerous emerging threats exploiting software vulnerabilities. Most software systems today contain design and implementation bugs that can be exploited by attackers.

As more development shifts to the web, and more data is stored on the cloud, security is a critically important topic. A single security misstep can compromise confidential business data or your customer’s personal information.

Software security is a lengthy topic, so this blog has been divided into 3 parts. We’ll be covering the following vulnerabilities and their suggested fixes:

  • Injection
  • Cross-site scripting
  • Cross-site request forgery
  • Unvalidated redirects and forwards
  • Common security misconfiguration


Software vulnerability is a weakness in the security of a program, often due to a design decision mistake or an implementation mistake.


An exploit is an action (or a piece of software that takes an action) that takes advantage of a vulnerability and results in an attacker making the system perform in ways that are not intentionally authorized (e.g. changes to databases, denial of service or arbitrary code execution). Here are some famous stories about how software vulnerability resulted in an attack:

  • 2011: Oracle’s hacked via SQL Injection Attack
  • 2011: Expedia’s TripAdvisor member data stolen in possible SQL Injection Attack
  • 2012: A security flaw in Google Wallet that leads into full access to your Google Wallet account without rooting or an extra app

The security of a web-based application is a major concern for all developers. Even when developers are trying to do the right thing, it is easy for a mistake to result in an attacker being able to take control of software. Taking the time to secure your application development may involve nothing more than getting to know these common software vulnerabilities and their fixes.


Injection is responsible for a very large portion of public disclosure and security breaches. There are many types of injection vulnerabilities, most commonly including:

  • SQL injection
  • Command injection
  • LDAP injection
  • XML injection
  • XPath injection

With the different types of injections, the attacker will construct their attack in a different way. Injection vulnerabilities present some of the most significant risks when effectively exploited. Some of these risks can involve:

  • Data loss or corruption
  • Unauthorized access
  • Denial of access
  • Complete host system takeover

The consequences of any of these risks can seriously impact the ability of a software system to function properly.

Let’s see what an SQL injection is and how to fix it.

SQL injections occurs when an input from a user is directly used to construct a dynamic SQL query that is executed by the software. Below is the example of a SQL injection prone code in C#:

public bool Login(string username, string password)
            SqlConnection dbConn = new SqlConnection(connectionString);
            SqlCommand cmd = dbConn.CreateCommand();
            cmd.CommandText = "SELECT UserId FROM UserDetails WHERE username = '" + username + "' AND Password = '" + password + "'";
            cmd.CommandType = CommandType.Text;
            return Convert.ToBoolean(cmd.ExecuteNonQuery());

In the code snippet above, if an attacker enters a string “SampleUsername” and “password’ OR ‘a’=’a” as the username and password parameters, then the resultant query would look like this: