CWE-655 不充分的心理学可接受性

admin 2021年11月6日14:51:03评论75 views字数 1924阅读6分24秒阅读模式

CWE-655 不充分的心理学可接受性

Insufficient Psychological Acceptability

结构: Simple

Abstraction: Base

状态: Draft

被利用可能性: unkown

基本描述

The software has a protection mechanism that is too difficult or inconvenient to use, encouraging non-malicious users to disable or bypass the mechanism, whether by accident or on purpose.

相关缺陷

  • cwe_Nature: ChildOf cwe_CWE_ID: 657 cwe_View_ID: 1000 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 657 cwe_View_ID: 699 cwe_Ordinal: Primary

  • cwe_Nature: ChildOf cwe_CWE_ID: 693 cwe_View_ID: 1000

适用平台

Language: {'cwe_Class': 'Language-Independent', 'cwe_Prevalence': 'Undetermined'}

常见的影响

范围 影响 注释
Access Control Bypass Protection Mechanism By bypassing the security mechanism, a user might leave the system in a less secure state than intended by the administrator, making it more susceptible to compromise.

可能的缓解方案

Testing

策略:

Where possible, perform human factors and usability studies to identify where your product's security mechanisms are difficult to use, and why.

Architecture and Design

策略:

Make the security mechanism as seamless as possible, while also providing the user with sufficient details when a security decision produces unexpected results.

示例代码

In "Usability of Security: A Case Study" [REF-540], the authors consider human factors in a cryptography product. Some of the weakness relevant discoveries of this case study were: users accidentally leaked sensitive information, could not figure out how to perform some tasks, thought they were enabling a security option when they were not, and made improper trust decisions.

Enforcing complex and difficult-to-remember passwords that need to be frequently changed for access to trivial resources, e.g., to use a black-and-white printer. Complex password requirements can also cause users to store the passwords in an unsafe manner so they don't have to remember them, such as using a sticky note or saving them in an unencrypted file.

Some CAPTCHA utilities produce images that are too difficult for a human to read, causing user frustration.

Notes

引用

文章来源于互联网:scap中文网

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2021年11月6日14:51:03
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   CWE-655 不充分的心理学可接受性http://cn-sec.com/archives/613649.html

发表评论

匿名网友 填写信息