Software insecurity: Porous Defense


The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored

image

CWE-306
Missing Authentication for Critical Function

CWE-862
Missing Authorization

CWE-798
Use of Hard-coded Credentials

CWE-311
Missing Encryption of Sensitive Data

CWE-807
Reliance on Untrusted Inputs in a Security Decision

CWE-250
Execution with Unnecessary Privileges

CWE-863
Incorrect Authorization

CWE-732
Incorrect Permission Assignment for Critical Resource

CWE-327
Use of a Broken or Risky Cryptographic Algorithm

CWE-307
Improper Restriction of Excessive Authentication Attempts

CWE-759
Use of a One-Way Hash without a Salt

Reference: http://www.sans.org/top25-software-errors/#cat1

See my other blogs at:

See my colleagues blogs at:


Comments (2)

  1. well, how does one know when developing an application what are trusted inputs or not?  

  2. SoCal Sam says:

    Hey cron22, good question and one that I will be discussing over the next few weeks.