This collection of case studies focus on secure software development and reveal detailed information about specific real-world coding issues. Our hope is that these case studies provide educators, project leaders, software development teams, and assessment teams insight into these critical issues and show how to avoid them.

With each case study focusing on a real issue in real software, there should be no debate as to the applicability of these mistakes to one’s own day-to-day coding projects. By understanding these issues, the mistakes that were made, and how each was fixed, we will be in a better position to avoid similar problems in the future.

MITRE led the development of this collection of case studies, writing many and reviewing contributions by others. MITRE has a long history in the Software Assurance and Software Vulnerability areas. MITRE founded the Common Vulnerabilities and Exposures (CVE®) effort in 1999 and since has partnered with industry and government leaders to create additional foundational efforts such as the Common Weakness Enumeration (CWE™) and the Common Attack Pattern Enumeration and Classification (CAPEC™).

Case Studies

Python

• SQL Injection In Postgraas Server
• Open Redirect In Jupyter Server
• Observable Timing Discrepancy In Piccolo
• Path Traversal In PyMdown-Extensions
• Improper Certificate Validation In Airflow
• Code Injection In Searchor

JavaScript

• Path Traversal In Saltcorn Server
• Cross-Site Scripting In OpenC3 COSMOS Server

Go

• Parameter Injection In WhoDB
• Cross-Site Scripting In Miniflux