View: Architectural Concepts
Incomplete
Type: Graph
Objective
This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Audience
| Type | Description |
|---|---|
| Software Developers | Architects that are part of a software development team may find this view useful as the weaknesses are organized by known security tactics, aiding the arcitect in embedding security throughout the design process instead of discovering weaknesses after the software has been built. |
| Educators | Educators may use this view as reference material when discussing security by design or architectural weaknesses, and the types of mistakes that can be made. |
Relationships
Architectural Concepts- (CWE-1008)
Audit- (CWE-1009)
Improper Output Neutralization for Logs- (CWE-117)
Omission of Security-relevant Information- (CWE-223)
Insufficient Logging- (CWE-778)
Logging of Excessive Data- (CWE-779)
Authenticate Actors- (CWE-1010)
Empty Password in Configuration File- (CWE-258)
Use of Hard-coded Password- (CWE-259)
Not Using Password Aging- (CWE-262)
Password Aging with Long Expiration- (CWE-263)
Improper Authentication- (CWE-287)
Authentication Bypass by Alternate Name- (CWE-289)
Authentication Bypass by Spoofing- (CWE-290)
Reliance on IP Address for Authentication- (CWE-291)
Using Referer Field for Authentication- (CWE-293)
Authentication Bypass by Capture-replay- (CWE-294)
Missing Critical Step in Authentication- (CWE-304)
Authentication Bypass by Primary Weakness- (CWE-305)
Missing Authentication for Critical Function- (CWE-306)
Use of Single-factor Authentication- (CWE-308)
Key Exchange without Entity Authentication- (CWE-322)
Weak Password Requirements- (CWE-521)
Use of Client-Side Authentication- (CWE-603)
Unverified Password Change- (CWE-620)
Use of Hard-coded Credentials- (CWE-798)
Authorize Actors- (CWE-1011)
Process Control- (CWE-114)
Incorrect Privilege Assignment- (CWE-266)
Privilege Defined With Unsafe Actions- (CWE-267)
Privilege Chaining- (CWE-268)
Improper Privilege Management- (CWE-269)
Privilege Context Switching Error- (CWE-270)
Privilege Dropping / Lowering Errors- (CWE-271)
Least Privilege Violation- (CWE-272)
Improper Check for Dropped Privileges- (CWE-273)
Improper Handling of Insufficient Privileges- (CWE-274)
Incorrect Default Permissions- (CWE-276)
Insecure Inherited Permissions- (CWE-277)
Incorrect Execution-Assigned Permissions- (CWE-279)
Improper Preservation of Permissions- (CWE-281)
Improper Ownership Management- (CWE-282)
Unverified Ownership- (CWE-283)
Improper Access Control- (CWE-284)
Improper Authorization- (CWE-285)
Incorrect User Management- (CWE-286)
Channel Accessible by Non-Endpoint- (CWE-300)
Predictable from Observable State- (CWE-341)
Unprotected Primary Channel- (CWE-419)
Unprotected Alternate Channel- (CWE-420)
Direct Request ('Forced Browsing')- (CWE-425)
Untrusted Search Path- (CWE-426)
External Control of Critical State Data- (CWE-642)
Improper Isolation or Compartmentalization- (CWE-653)
Reliance on Security Through Obscurity- (CWE-656)
Exposure of Resource to Wrong Sphere- (CWE-668)
Incorrect Resource Transfer Between Spheres- (CWE-669)
Lack of Administrator Control over Security- (CWE-671)
External Influence of Sphere Definition- (CWE-673)
Incorrect Ownership Assignment- (CWE-708)
Improper Control of Document Type Definition- (CWE-827)
Missing Authorization- (CWE-862)
Incorrect Authorization- (CWE-863)
Cross Cutting- (CWE-1012)
Observable Timing Discrepancy- (CWE-208)
Missing Report of Error Condition- (CWE-392)
Improper Cleanup on Thrown Exception- (CWE-460)
Encrypt Data- (CWE-1013)
Plaintext Storage of a Password- (CWE-256)
Storing Passwords in a Recoverable Format- (CWE-257)
Password in Configuration File- (CWE-260)
Weak Encoding for Password- (CWE-261)
Missing Encryption of Sensitive Data- (CWE-311)
Cleartext Storage of Sensitive Information- (CWE-312)
Cleartext Storage in a File or on Disk- (CWE-313)
Cleartext Storage in the Registry- (CWE-314)
Use of Hard-coded Cryptographic Key- (CWE-321)
Reusing a Nonce, Key Pair in Encryption- (CWE-323)
Use of a Key Past its Expiration Date- (CWE-324)
Missing Cryptographic Step- (CWE-325)
Inadequate Encryption Strength- (CWE-326)
Use of Weak Hash- (CWE-328)
Use of Insufficiently Random Values- (CWE-330)
Insufficient Entropy- (CWE-331)
Insufficient Entropy in PRNG- (CWE-332)
Small Space of Random Values- (CWE-334)
Small Seed Space in PRNG- (CWE-339)
Insufficiently Protected Credentials- (CWE-522)
Unprotected Transport of Credentials- (CWE-523)
Use of a One-Way Hash without a Salt- (CWE-759)
Use of RSA Algorithm without OAEP- (CWE-780)
Insecure Storage of Sensitive Information- (CWE-922)
Identify Actors- (CWE-1014)
Improper Certificate Validation- (CWE-295)
Improper Check for Certificate Revocation- (CWE-299)
Origin Validation Error- (CWE-346)
Missing Validation of OpenSSL Certificate- (CWE-599)
Limit Access- (CWE-1015)
Execution with Unnecessary Privileges- (CWE-250)
External Control of File Name or Path- (CWE-73)
Limit Exposure- (CWE-1016)
Lock Computer- (CWE-1017)
Overly Restrictive Account Lockout Mechanism- (CWE-645)
Manage User Sessions- (CWE-1018)
Session Fixation- (CWE-384)
Exposure of Data Element to Wrong Session- (CWE-488)
Insufficient Session Expiration- (CWE-613)
Improper Enforcement of Behavioral Workflow- (CWE-841)
Validate Inputs- (CWE-1019)
Improper Neutralization of Special Elements- (CWE-138)
Improper Input Validation- (CWE-20)
Cross-Site Request Forgery (CSRF)- (CWE-352)
PHP External Variable Modification- (CWE-473)
Deserialization of Untrusted Data- (CWE-502)
Improper Filtering of Special Elements- (CWE-790)
Incomplete Filtering of Special Elements- (CWE-791)
Verify Message Integrity- (CWE-1020)
Missing Support for Integrity Check- (CWE-353)
Improper Validation of Integrity Check Value- (CWE-354)
Detection of Error Condition Without Action- (CWE-390)
Unchecked Error Condition- (CWE-391)
Download of Code Without Integrity Check- (CWE-494)
Improper Neutralization- (CWE-707)
Improper Handling of Exceptional Conditions- (CWE-755)
Mapping Notes
Usage: Prohibited
Reasons: View
Rationale:
This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.
Comment:
Use this View or other Views to search and navigate for the appropriate weakness.