Comprehensive Categorization: Violation of Secure Design Principles

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to violation of secure design principles.

Weaknesses

Dependency on Vulnerable Third-Party Component

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

Execution with Unnecessary Privileges

The product performs an operation at a privilege level that is higher than the minimum level required, which creates new weaknesses or amplifies the consequences of ot...

Improper Identifier for IP Block used in System-On-Chip (SOC)

The System-on-Chip (SoC) does not have unique, immutable identifiers for each of its components.

Improper Isolation of Shared Resources in Network On Chip (NoC)

The Network On Chip (NoC) does not isolate or incorrectly isolates its on-chip-fabric and internal resources such that they are shared between trusted and untrusted ag...

Improper Isolation of Shared Resources on System-on-a-Chip (SoC)

The System-On-a-Chip (SoC) does not properly isolate shared resources between trusted and untrusted agents.

Improper Isolation or Compartmentalization

The product does not properly compartmentalize or isolate functionality, processes, or resources that require different privilege levels, rights, or permissions.

Improper Protection of Alternate Path

The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.

Insufficient Psychological Acceptability

The product has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by acc...

Lack of Administrator Control over Security

The product uses security features in a way that prevents the product's administrator from tailoring security settings to reflect the environment in which the product ...

Non-Transparent Sharing of Microarchitectural Resources

Hardware structures shared across execution contexts (e.g., caches and branch predictors) can violate the expected architecture isolation between contexts.

Not Failing Securely ('Failing Open')

When the product encounters an error condition or failure, its design requires it to fall back to a state that is less secure than other options that are available, su...

Not Using Complete Mediation

The product does not perform access checks on a resource every time the resource is accessed by an entity, which can create resultant weaknesses if that entity's right...

Reliance on a Single Factor in a Security Decision

A protection mechanism relies exclusively, or to a large extent, on the evaluation of a single condition or the integrity of a single object or entity in order to make...

Reliance on Security Through Obscurity

The product uses a protection mechanism whose strength depends heavily on its obscurity, such that knowledge of its algorithms or key data is sufficient to defeat the ...

Unimplemented or Unsupported Feature in UI

A UI function for a security feature appears to be supported and gives feedback to the user that suggests that it is supported, but the underlying functionality is not...

Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism')

The product uses a more complex mechanism than necessary, which could lead to resultant weaknesses when the mechanism is not correctly understood, modeled, configured,...

Violation of Secure Design Principles

The product violates well-established principles for secure design.

Concepts

Comprehensive Categorization for Software Assurance Trends

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...

See Also

  1. CVE --> CWE Mapping Guidance - Quick Tips

    MITRE


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.