View: Software Development
Draft
Type: Graph
Objective
This view organizes weaknesses around concepts that are frequently used or encountered in software development. This includes all aspects of the software development lifecycle including both architecture and implementation. Accordingly, this view can align closely with the perspectives of architects, developers, educators, and assessment vendors. It provides a variety of categories that are intended to simplify navigation, browsing, and mapping.
Audience
| Type | Description |
|---|---|
| Software Developers | Software developers (including architects, designers, coders, and testers) use this view to better understand potential mistakes that can be made in specific areas of their software application. The use of concepts that developers are familiar with makes it easier to navigate this view, and filtering by Modes of Introduction can enable focus on a specific phase of the development lifecycle. |
| Educators | Educators use this view to teach future developers about the types of mistakes that are commonly made within specific parts of a codebase. |
Relationships
Software Development- (CWE-699)
API / Function Errors- (CWE-1228)
Use of Inherently Dangerous Function- (CWE-242)
Undefined Behavior for Input to API- (CWE-475)
Use of Obsolete Function- (CWE-477)
Use of Potentially Dangerous Function- (CWE-676)
Use of Low-Level Functionality- (CWE-695)
Exposed Dangerous Method or Function- (CWE-749)
Audit / Logging Errors- (CWE-1210)
Improper Output Neutralization for Logs- (CWE-117)
Truncation of Security-relevant Information- (CWE-222)
Omission of Security-relevant Information- (CWE-223)
Insufficient Logging- (CWE-778)
Logging of Excessive Data- (CWE-779)
Authentication Errors- (CWE-1211)
Authentication Bypass by Alternate Name- (CWE-289)
Authentication Bypass by Spoofing- (CWE-290)
Authentication Bypass by Capture-replay- (CWE-294)
Improper Certificate Validation- (CWE-295)
Authentication Bypass by Primary Weakness- (CWE-305)
Missing Authentication for Critical Function- (CWE-306)
Use of Single-factor Authentication- (CWE-308)
Key Exchange without Entity Authentication- (CWE-322)
Use of Client-Side Authentication- (CWE-603)
Overly Restrictive Account Lockout Mechanism- (CWE-645)
Guessable CAPTCHA- (CWE-804)
Authorization Errors- (CWE-1212)
Direct Request ('Forced Browsing')- (CWE-425)
Improper Isolation or Compartmentalization- (CWE-653)
Placement of User into Incorrect Group- (CWE-842)
Insufficient Granularity of Access Control- (CWE-1220)
Bad Coding Practices- (CWE-1006)
Trust of System Event Data- (CWE-360)
Reliance on Package-level Scope- (CWE-487)
Active Debug Code- (CWE-489)
Dead Code- (CWE-561)
Return of Stack Variable Address- (CWE-562)
Assignment to Variable without Use- (CWE-563)
Explicit Call to Finalize()- (CWE-586)
Multiple Binds to the Same Port- (CWE-605)
Reliance on Security Through Obscurity- (CWE-656)
Use of Redundant Code- (CWE-1041)
Missing Serialization Control Element- (CWE-1066)
Empty Code Block- (CWE-1071)
Parent Class without Virtual Destructor Method- (CWE-1079)
Class Instance Self Destruction Control Element- (CWE-1082)
Excessive Index Range Scan for a Data Resource- (CWE-1094)
Inconsistent Naming Conventions for Identifiers- (CWE-1099)
Reliance on Runtime Component in Generated Code- (CWE-1101)
Use of Platform-Dependent Third Party Components- (CWE-1103)
Use of Unmaintained Third Party Components- (CWE-1104)
Insufficient Use of Symbolic Constants- (CWE-1106)
Excessive Reliance on Global Variables- (CWE-1108)
Use of Same Variable for Multiple Purposes- (CWE-1109)
Inappropriate Comment Style- (CWE-1113)
Inappropriate Whitespace Style- (CWE-1114)
Source Code Element without Standard Prologue- (CWE-1115)
Inaccurate Comments- (CWE-1116)
Callable with Insufficient Behavioral Summary- (CWE-1117)
Compilation with Insufficient Warnings or Errors- (CWE-1127)
Behavioral Problems- (CWE-438)
Misinterpretation of Input- (CWE-115)
Incorrect Behavior Order: Early Validation- (CWE-179)
Incomplete Model of Endpoint Features- (CWE-437)
Expected Behavior Violation- (CWE-440)
Use of Incorrect Operator- (CWE-480)
Incorrect Block Delimitation- (CWE-483)
Omitted Break Statement in Switch- (CWE-484)
Execution After Redirect (EAR)- (CWE-698)
Operator Precedence Logic Error- (CWE-783)
Improper Enforcement of Behavioral Workflow- (CWE-841)
Comparison Using Wrong Factors- (CWE-1025)
Business Logic Errors- (CWE-840)
Unverified Ownership- (CWE-283)
Incorrect Ownership Assignment- (CWE-708)
Improper Enforcement of Behavioral Workflow- (CWE-841)
Communication Channel Errors- (CWE-417)
Key Exchange without Entity Authentication- (CWE-322)
Origin Validation Error- (CWE-346)
Covert Timing Channel- (CWE-385)
Unprotected Primary Channel- (CWE-419)
Unprotected Alternate Channel- (CWE-420)
Direct Request ('Forced Browsing')- (CWE-425)
Covert Storage Channel- (CWE-515)
Server-Side Request Forgery (SSRF)- (CWE-918)
Binding to an Unrestricted IP Address- (CWE-1327)
Complexity Issues- (CWE-1226)
Modules with Circular Dependencies- (CWE-1047)
Multiple Inheritance from Concrete Classes- (CWE-1055)
Class with Excessively Deep Inheritance- (CWE-1074)
Class with Excessive Number of Child Classes- (CWE-1086)
Loop Condition Value Update within the Loop- (CWE-1095)
Excessive Use of Unconditional Branching- (CWE-1119)
Excessive McCabe Cyclomatic Complexity- (CWE-1121)
Excessive Halstead Complexity- (CWE-1122)
Excessive Use of Self-Modifying Code- (CWE-1123)
Excessively Deep Nesting- (CWE-1124)
Excessive Attack Surface- (CWE-1125)
Inefficient Regular Expression Complexity- (CWE-1333)
Concurrency Issues- (CWE-557)
Signal Handler Race Condition- (CWE-364)
Race Condition within a Thread- (CWE-366)
Context Switching Race Condition- (CWE-368)
Symbolic Name not Mapping to Correct Object- (CWE-386)
Missing Synchronization- (CWE-820)
Incorrect Synchronization- (CWE-821)
Credentials Management Errors- (CWE-255)
Cryptographic Issues- (CWE-310)
Key Management Errors- (CWE-320)
Key Exchange without Entity Authentication- (CWE-322)
Reusing a Nonce, Key Pair in Encryption- (CWE-323)
Use of a Key Past its Expiration Date- (CWE-324)
Use of Hard-coded Credentials- (CWE-798)
Data Integrity Issues- (CWE-1214)
Key Exchange without Entity Authentication- (CWE-322)
Origin Validation Error- (CWE-346)
Use of Less Trusted Source- (CWE-348)
Insufficient Type Distinction- (CWE-351)
Missing Support for Integrity Check- (CWE-353)
Improper Validation of Integrity Check Value- (CWE-354)
Download of Code Without Integrity Check- (CWE-494)
Data Processing Errors- (CWE-19)
Improper Handling of Missing Special Element- (CWE-166)
Improper Handling of Case Sensitivity- (CWE-178)
Collapse of Data into Unsafe Value- (CWE-182)
Overly Restrictive Regular Expression- (CWE-186)
Improper Handling of Values- (CWE-229)
Improper Handling of Parameters- (CWE-233)
Improper Handling of Structural Elements- (CWE-237)
Improper Handling of Unexpected Data Type- (CWE-241)
Executable Regular Expression Error- (CWE-624)
Permissive Regular Expression- (CWE-625)
Comparison of Incompatible Types- (CWE-1024)
Data Neutralization Issues- (CWE-137)
Improper Output Neutralization for Logs- (CWE-117)
Improper Neutralization of Delimiters- (CWE-140)
Improper Null Termination- (CWE-170)
Deletion of Data Structure Sentinel- (CWE-463)
Addition of Data Structure Sentinel- (CWE-464)
Incomplete Filtering of Special Elements- (CWE-791)
Inappropriate Encoding for Output Context- (CWE-838)
Documentation Issues- (CWE-1225)
Missing Documentation for Design- (CWE-1053)
Incomplete Design Documentation- (CWE-1110)
Incomplete I/O Documentation- (CWE-1111)
Incomplete Documentation of Program Execution- (CWE-1112)
File Handling Issues- (CWE-1219)
Improper Resolution of Path Equivalence- (CWE-41)
Untrusted Search Path- (CWE-426)
Uncontrolled Search Path Element- (CWE-427)
Unquoted Search Path or Element- (CWE-428)
Encapsulation Issues- (CWE-1227)
Parent Class with References to Child Class- (CWE-1062)
Uncaught Exception- (CWE-248)
Unchecked Return Value- (CWE-252)
Incorrect Check of Function Return Value- (CWE-253)
Detection of Error Condition Without Action- (CWE-390)
Unchecked Error Condition- (CWE-391)
Missing Report of Error Condition- (CWE-392)
Return of Wrong Status Code- (CWE-393)
Unexpected Status Code or Return Value- (CWE-394)
Declaration of Catch for Generic Exception- (CWE-396)
Declaration of Throws for Generic Exception- (CWE-397)
Return Inside Finally Block- (CWE-584)
Reachable Assertion- (CWE-617)
Missing Custom Error Page- (CWE-756)
Expression Issues- (CWE-569)
Use of Incorrect Operator- (CWE-480)
Expression is Always False- (CWE-570)
Expression is Always True- (CWE-571)
Operator Precedence Logic Error- (CWE-783)
Handler Errors- (CWE-429)
Deployment of Wrong Handler- (CWE-430)
Missing Handler- (CWE-431)
Information Management Errors- (CWE-199)
Observable Response Discrepancy- (CWE-204)
Observable Behavioral Discrepancy- (CWE-205)
Observable Timing Discrepancy- (CWE-208)
Cleartext Storage of Sensitive Information- (CWE-312)
Initialization and Cleanup Errors- (CWE-452)
Non-exit on Failed Initialization- (CWE-455)
Incomplete Cleanup- (CWE-459)
Data Validation Issues- (CWE-1215)
Missing XML Validation- (CWE-112)
Incorrect Behavior Order: Early Validation- (CWE-179)
Permissive List of Allowed Inputs- (CWE-183)
Incomplete List of Disallowed Inputs- (CWE-184)
Unchecked Input for Loop Condition- (CWE-606)
Improper Use of Validation Framework- (CWE-1173)
Improper Validation of Specified Type of Input- (CWE-1287)
Improper Validation of Consistency within Input- (CWE-1288)
Lockout Mechanism Errors- (CWE-1216)
Overly Restrictive Account Lockout Mechanism- (CWE-645)
Memory Buffer Errors- (CWE-1218)
Buffer Underwrite ('Buffer Underflow')- (CWE-124)
Out-of-bounds Read- (CWE-125)
Incorrect Calculation of Buffer Size- (CWE-131)
Out-of-bounds Write- (CWE-787)
Buffer Access with Incorrect Length Value- (CWE-805)
Numeric Errors- (CWE-189)
Permission Issues- (CWE-275)
Incorrect Default Permissions- (CWE-276)
Insecure Inherited Permissions- (CWE-277)
Insecure Preserved Inherited Permissions- (CWE-278)
Incorrect Execution-Assigned Permissions- (CWE-279)
Improper Preservation of Permissions- (CWE-281)
Exposed Unsafe ActiveX Method- (CWE-618)
Critical Data Element Declared Public- (CWE-766)
Pointer Issues- (CWE-465)
Incorrect Pointer Scaling- (CWE-468)
Use of Pointer Subtraction to Determine Size- (CWE-469)
NULL Pointer Dereference- (CWE-476)
Assignment of a Fixed Address to a Pointer- (CWE-587)
Release of Invalid Pointer or Reference- (CWE-763)
Untrusted Pointer Dereference- (CWE-822)
Use of Out-of-range Pointer Offset- (CWE-823)
Access of Uninitialized Pointer- (CWE-824)
Expired Pointer Dereference- (CWE-825)
Privilege Issues- (CWE-265)
Execution with Unnecessary Privileges- (CWE-250)
Incorrect Privilege Assignment- (CWE-266)
Privilege Defined With Unsafe Actions- (CWE-267)
Privilege Chaining- (CWE-268)
Privilege Context Switching Error- (CWE-270)
Least Privilege Violation- (CWE-272)
Improper Check for Dropped Privileges- (CWE-273)
Improper Handling of Insufficient Privileges- (CWE-274)
Trust Boundary Violation- (CWE-501)
clone() Method Without super.clone()- (CWE-580)
Incorrect Use of Privileged APIs- (CWE-648)
Random Number Issues- (CWE-1213)
Insufficient Entropy- (CWE-331)
Small Space of Random Values- (CWE-334)
Predictable from Observable State- (CWE-341)
Predictable Exact Value from Previous Values- (CWE-342)
Predictable Value Range from Previous Values- (CWE-343)
Resource Locking Problems- (CWE-411)
Unrestricted Externally Accessible Lock- (CWE-412)
Improper Resource Locking- (CWE-413)
Missing Lock Check- (CWE-414)
Double-Checked Locking- (CWE-609)
Multiple Locks of a Critical Resource- (CWE-764)
Multiple Unlocks of a Critical Resource- (CWE-765)
Unlock of a Resource that is not Locked- (CWE-832)
Deadlock- (CWE-833)
Resource Management Errors- (CWE-399)
Signal Errors- (CWE-387)
Signal Handler Race Condition- (CWE-364)
State Issues- (CWE-371)
Incomplete Internal State Distinction- (CWE-372)
String Errors- (CWE-133)
Use of Externally-Controlled Format String- (CWE-134)
Use of Incorrect Operator- (CWE-480)
Type Errors- (CWE-136)
User Interface Security Issues- (CWE-355)
Unimplemented or Unsupported Feature in UI- (CWE-447)
Obsolete Feature in UI- (CWE-448)
The UI Performs the Wrong Action- (CWE-449)
Missing Password Field Masking- (CWE-549)
User Session Errors- (CWE-1217)
Exposure of Data Element to Wrong Session- (CWE-488)
Insufficient Session Expiration- (CWE-613)
Improper Enforcement of Behavioral Workflow- (CWE-841)
Mapping Notes
Usage: Prohibited
Reasons: View
Rationale:
This entry is a View. Views are not weaknesses and therefore inappropriate to describe the root causes of vulnerabilities.
Comment:
Use this View or other Views to search and navigate for the appropriate weakness.