软件安全错误分类

  • Input Validation and Representation: 输入验证和表示
  • API Abuse: API滥用
  • Security Features: 安全功能
  • Time and State: 时间和国家
  • Errors: 错误
  • Code Quality: 代码质量
  • Encapsulation: 封装

1 Input Validation and Representation(输入验证和表示)

输入验证和表示问题是由元字符,备用编码和数字表示引起的。 信任输入导致安全问题。 问题包括:缓冲区溢出,跨站点脚本***,SQL注入以及许多其他问题

功能模块扫描项
Input Validation and RepresentationBuffer Overflow
Input Validation and RepresentationCommand Injection
Input Validation and RepresentationCross-Site Scripting
Input Validation and RepresentationFormat String
Input Validation and RepresentationHTTP Response Splitting
Input Validation and RepresentationIllegal Pointer Value
Input Validation and RepresentationInteger Overflow
Input Validation and RepresentationLog Forging
Input Validation and RepresentationPath Manipulation
Input Validation and RepresentationProcess Control
Input Validation and RepresentationResource Injection
Input Validation and RepresentationSetting Manipulation
Input Validation and RepresentationSQL Injection
Input Validation and RepresentationString Termination Error
Input Validation and RepresentationStruts: Duplicate Validation Forms
Input Validation and RepresentationStruts: Form Bean Does Not Extend Validation Class
Input Validation and RepresentationStruts: Form Field Without Validator
Input Validation and RepresentationStruts: Plug-in Framework Not In Use
Input Validation and RepresentationStruts: Unused Validation Form
Input Validation and RepresentationStruts: Unvalidated Action Form
Input Validation and RepresentationStruts: Validator Turned Off
Input Validation and RepresentationStruts: Validator Without Form Field
Input Validation and RepresentationUnsafe JNI
Input Validation and RepresentationUnsafe Reflection
Input Validation and RepresentationXML Validation

2 API Abuse

功能模块扫描项
API AbuseDangerous Function
API AbuseDirectory Restriction
API AbuseHeap Inspection
API AbuseJ2EE Bad Practices: getConnection()
API AbuseJ2EE Bad Practices: Sockets
API AbuseOften Misused: Authentication
API AbuseOften Misused: Exception Handling
API AbuseOften Misused: File System
API AbuseOften Misused: Privilege Management
API AbuseOften Misused: Strings
API AbuseUnchecked Return Value

3 Security Features

功能模块扫描项
Security FeaturesInsecure Randomness
Security FeaturesLeast Privilege Violation
Security FeaturesMissing Access Control
Security FeaturesPassword Management
Security FeaturesPassword Management: Empty Password in Config File
Security FeaturesPassword Management: Hard-Coded Password
Security FeaturesPassword Management: Password in Config File
Security FeaturesPassword Management: Weak Cryptography
Security FeaturesPrivacy Violation

4 Time and State

功能模块扫描项
Time and StateDeadlock
Time and StateFailure to Begin a New Session upon Authentication
Time and StateFile Access Race Condition: TOCTOU
Time and StateInsecure Temporary File
Time and StateJ2EE Bad Practices: System.exit()
Time and StateJ2EE Bad Practices: Threads
Time and StateSignal Handling Race Conditions

5 Errors

功能模块扫描项
ErrorsCatch NullPointerException
ErrorsEmpty Catch Block
ErrorsOverly-Broad Catch Block
ErrorsOverly-Broad Throws Declaration

6 Code Quality

功能模块扫描项
Code QualityDouble Free
Code QualityInconsistent Implementations
Code QualityMemory Leak
Code QualityNull Dereference
Code QualityObsolete
Code QualityUndefined Behavior
Code QualityUninitialized Variable
Code QualityUnreleased Resource
Code QualityUse After Free

7 Encapsulation

功能模块扫描项
EncapsulationComparing Classes by Name
EncapsulationData Leaking Between Users
EncapsulationLeftover Debug Code
EncapsulationMobile Code: Object Hijack
EncapsulationMobile Code: Use of Inner Class
EncapsulationMobile Code: Non-Final Public Field
EncapsulationPrivate Array-Typed Field Returned From a Public Method
EncapsulationPublic Data Assigned to Private Array-Typed Field
EncapsulationSystem Information Leak
EncapsulationTrust Boundary Violation

转载于:https://blog.51cto/huaweicainiao/2328458

更多推荐

Fortify扫描 -- 软件安全错误的分类