CWE-655 不充分的心理学可接受性

  • A+
所属分类:CWE(弱点枚举)

CWE-655 不充分的心理学可接受性

Insufficient Psychological Acceptability

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 657 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 657 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 693 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control Bypass Protection Mechanism By bypassing the security mechanism, a user might leave the system in a less secure state than intended by the administrator, making it more susceptible to compromise.

可能的缓解方案

Testing

策略:

Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.

Architecture and Design

策略:

Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.

示例代码

In "Usability of Security: A Case Study" [REF-540], the authors consider human factors in a cryptography product. Some of the weakness relevant discoveries of this case study were: users accidentally leaked sensitive information, could not figure out how to perform some tasks, thought they were enabling a security option when they were not, and made improper trust decisions.

Enforcing complex and difficult-to-remember passwords that need to be frequently changed for access to trivial resources, e.g., to use a black-and-white printer. Complex password requirements can also cause users to store the passwords in an unsafe manner so they don't have to remember them, such as using a sticky note or saving them in an unencrypted file.

Some CAPTCHA utilities produce images that are too difficult for a human to read, causing user frustration.

Notes

引用

文章来源于互联网:scap中文网

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: