View-1008: Architectural Concepts

ID: 1008

Type: Graph

Status: Incomplete

Objective

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Audience

Software Designers

Software designers may find this view useful as the weaknesses are organized by known security tactics, aiding the designer in embedding security throughout the design process instead of discovering weaknesses after the software has been built.

Educators

Educators may use this view as reference material when discussing security by design or architectural weaknesses, and the types of mistakes that can be made.

Membership

CWE-ID	title
CWE-1009	审计
CWE-1010	验证参与者
CWE-1011	授权参与者
CWE-1012	交叉切割
CWE-1013	加密数据
CWE-1014	识别参与者
CWE-1015	限制访问
CWE-1016	限制暴露
CWE-1017	锁定计算机
CWE-1018	管理用户会话
CWE-1019	输入验证
CWE-1020	验证消息完整性

Notes

Other

The top level categories in this view represent the individual tactics that are part of a secure-by-design approach to software development. The weaknesses that are members of each category contain information about how each is introduced relative to the software's architecture. Three different modes of introduction are used: Omission - caused by missing a security tactic when it is necessary. Commission - refers to incorrect choice of tactics which could result in undesirable consequences. Realization - appropriate security tactics are adopted but are incorrectly implemented.

Maintenance

This view is under development, and subsequent releases will focus on reviewing the individual weaknesses to verify their inclusion in this view and adding any applicable ChildOf relationships. Comments about revisions are welcome.

引用

REF-9 A Catalog of Security Architecture Weaknesses.
REF-10 Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird.

文章来源于互联网:scap中文网