A taxonomy of software security defects for SST

Software security test (SST) is a useful way to validate software system security attribute. Defects based testing technologies are more effective than traditional specification testing technologies, and more and more researchers pay their attention to the testing methods. Before testing, an organized list of actual defects is especially essential. But at present the only existing suitable taxonomies are mostly for software designers or tool-builders, and do not adequately represent security defects that are found in modern software. In our work, we have coalesced previous efforts to categorize security errors as well as problem reports in order to create a kind of security defects taxonomy. We correlate this taxonomy with available information about current Top 10 software dangerous errors, which come from CWE, SANS and other authoritative vulnerabilities enumerations. We suggest that this taxonomy is suitable for software security testers and to outline possible areas of future research.