CISQ Data Protection Measures
A view in the Common Weakness Enumeration published by The MITRE Corporation.
Objective
Views in the Common Weakness Enumeration (CWE) represent one perspective with which to consider a set of weaknesses.
This view outlines the SMM representation of the Automated Source Code Data Protection Measurement specifications, as identified by the Consortium for Information & Software Quality (CISQ) Working Group.
Target Audience
Assessment Tool Vendors
This view provides a good starting point for assessment tool vendors (e.g., vendors selling static analysis tools) who wish to understand what constitutes software with good code quality, and which quality issues may be of concern.
Product Vendors
This view can help product vendors understand code quality issues and convey an overall status of their software.
Software Developers
This view provides a good starting point for anyone involved in software development (including architects, designers, coders, and testers) to ensure that code quality issues are considered during the development process.
Weaknesses
The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.
The product does not properly prevent a person's private, personal information from being accessed by actors who either (1) are not explicitly authorized to access the...
The product's intended functionality exposes information to certain actors in accordance with the developer's security policy, but this information is regarded as sens...
The software does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
The software does not properly anticipate or handle exceptional conditions that rarely occur during normal operation of the software.
The software receives input from an upstream component, but it does not restrict or incorrectly restricts the input before it is used as an identifier for a resource t...
The software does not initialize or incorrectly initializes a resource, which might leave the resource in an unexpected state when it is accessed or used.
The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but...
The software uses external input to dynamically construct an XPath expression used to retrieve data from an XML database, but it does not neutralize or incorrectly neu...
The software uses external input to dynamically construct an XQuery expression used to retrieve data from an XML database, but it does not neutralize or incorrectly ne...
The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other us...
The software constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes sp...
The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralize...
The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutraliz...
The software does not terminate or incorrectly terminates a string or array with a null character or equivalent terminator.
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.
The program does not release or incorrectly releases a resource before it is made available for re-use.
The software performs operations on a memory buffer, but it can read from or write to a memory location that is outside of the intended boundary of the buffer.
The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product...
The software utilizes multiple threads or processes to allow temporary access to a shared resource that can only be exclusive to one process at a time, but it does not...
The product uses untrusted input when calculating or using an array index, but the product does not validate or incorrectly validates the index to ensure the index ref...
The software receives input from an upstream component that specifies multiple attributes, properties, or fields that are to be initialized or updated in an object, bu...
The software performs a calculation that generates incorrect or unintended results that are later used in security-critical decisions or resource management.
When converting from one data type to another, such as long to integer, data can be omitted or translated in a way that produces unexpected values. If the resulting va...
The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.
The software does not correctly convert an object, resource, or structure from one type to a different type.
The software initializes data using hard-coded values that act as network resource identifiers.
The software does not encrypt sensitive or critical information before storage or transmission.
The software uses, accesses, or otherwise operates on a resource after that resource has been expired, released, or revoked.
A function returns the address of a stack variable, which will cause unintended program behavior, typically in the form of a crash.
The product does not properly check inputs that are used for loop conditions, potentially leading to a denial of service or other consequences because of excessive loo...
The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.
The software uses a function that accepts a format string as an argument, but the format string originates from an external source.
The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to exte...
The software uses or accesses a resource that has not been initialized.
The software does not properly neutralize special elements that are used in XML, allowing attackers to modify the syntax, content, or commands of the XML before it is ...
See Also
- AUTOMATED SOURCE CODE MEASURE FOR DATA PROTECTION
Consortium for Information & Software Quality (CISQ)
Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.