Why developers insert security vulnerabilities into their code

Modern software systems are difficult to test due to their distributed nature, and increased security complicates testing even further. Our hypothesis is that some security vulnerabilities are actually introduced due to developers&psila; need to facilitate testing that software requirements have been implemented correctly. If these temporary security vulnerabilities are not removed before the software is delivered, there is a great risk that they may become fielded security vulnerabilities.In this paper, we study the relationship between such security vulnerabilities and developers' need to improve the testability of an application to facilitate unit and integration testing. We trace detected vulnerabilities to characteristics of the software that made testing difficult and therefore led to testability improvements. We discuss how the need to increase testability may relate to a form of developer usability, and what the ways of dealing with the problem of security vulnerabilities as a consequence of increasing testability are. (11 refs.