CISQ Quality Measures - Security

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

The product contains an expression that will always evaluate to false.

The product contains an expression that will always evaluate to true.

The product receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource th...

The product does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.

The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but ...

The product uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neut...

The product uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neu...

The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes spe...

The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes...

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

The product does not release or incorrectly releases a resource before it is made available for re-use.

The product performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.

The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product ...

The product utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not ...

The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index ref...

The product performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.

When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting va...

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

When a security-critical event occurs, the product either does not record the event or omits important details about the event when logging it.

The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of mem...

The product uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.

The product uses an expression in which operator precedence causes incorrect logic to be used.

The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive loo...

The product does not check the return value from a method or function, which can prevent it from detecting unexpected states and conditions.

The product allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exter...

The product accidentally uses the wrong operator, which changes the logic in security-relevant ways.

The code uses deprecated or obsolete functions, which suggests that the code has not been actively reviewed or maintained.

The product does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is p...

This view outlines the most important software quality issues as identified by the Consortium for Information & Software Quality (CISQ) Automated Quality Characteristi...