A category in the Common Weakness Enumeration published by The MITRE Corporation.
Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.
Weaknesses in this category are related to the design and implementation of data confidentiality and integrity. Frequently these deal with the use of encoding techniques, encryption libraries, and hashing algorithms. The weaknesses in this category could lead to a degradation of the quality data if they are not addressed.
The software does not verify, or incorrectly verifies, the cryptographic signature for data.
The software uses a Pseudo-Random Number Generator (PRNG) but does not correctly manage seeds.
The software uses an algorithm or scheme that produces insufficient entropy, leaving patterns or clusters of values that are more likely to occur than others.
The product does not implement a required step in a cryptographic algorithm, resulting in weaker encryption than advertised by the algorithm.
The number of possible random values is smaller than needed by the product, making it more susceptible to brute force attacks.
To fulfill the need for a cryptographic primitive, the product implements a cryptographic algorithm using a non-standard, unproven, or disallowed/non-compliant cryptog...
The product uses a cryptographic key or password past its expiration date, which diminishes its safety significantly by increasing the timing window for cracking attac...
The product uses a Pseudo-Random Number Generator (PRNG) in a security context, but the PRNG's algorithm is not cryptographically strong.
The software generates a hash for a password, but it uses a scheme that does not provide a sufficient level of computational effort that would make password cracking a...
The product uses an algorithm that produces a digest (output value) that does not meet security expectations for a hash function that allows an adversary to reasonably...
Obscuring a password with a trivial encoding does not protect the password.
This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development l...
- Writing Secure Code
Michael Howard, David LeBlanc