Analyzing CWE Top 25 Programming Errors
To encourage the secure infrastructure, being aware of common security problems and exploitation methods is incredibly important. This awareness can help in protecting the software or product at the risk of exposure. With the prospect of security, errors are the weaknesses, that allow attackers to reduce the assurance of the software.
In order to support the developers to guarantee that their source code is annulled of security weaknesses, here we have presented an overview of CWE top 25 programming error categorization.
The programming errors are listed based on three main categories:
1. Insecure Interaction between Components – includes errors related to insecure communication between components like Modules, Programs, Process, Threads or System
2.Risky Resource Management – includes errors related Improper Resource Creation, Usage, Transfer or Destruction
3. Porous Defenses – involves errors resulting from Defensive Techniques getting Misused, Abused or Ignored
Top 25 Programming Errors
1. Improper Neutralization of Special Elements Used In An SQL Command ('SQL Injection')
Root Cause: Occurs when the attacker influences the SQL, which is used to communicate with the database. If the SQL queries are used in security controls like authentication without proper input validation, attackers could modify the logic of those SQL queries and bypass the security.
2. Improper Neutralization Of Special Elements Used In An OS Command ('OS Command Injection')
Root Cause: Occurs when the attacker gets a chance to execute system level commands, by using a vulnerable application. OS command injection attack could possibly violate the complete access control model exist in the web application, letting unauthorized access to sensitive functionality and data.
3. Buffer Overflow
Root Cause: Occurs when the data is copied into a buffer (contiguous allocated storage space in memory), is more than what buffer can handle. This weakness allows the attackers to insert and execute malicious code that runs with the vulnerable program privileges.
4. Improper Neutralization Of Input During Web Page Generation ('Cross-Site Scripting')
Root Cause: Occurs when the user-supplied input is sent back to the client, without proper validation and its content is escaped. This attack refers the client-side code injection; since, an attacker can run malicious scripts into a legitimate web application or website. This rampant vulnerability happens when the application involves the use of unencoded and unvalidated input from the user within the output it creates.
5. Missing Authentication For Critical Function
Root Cause: Occurs where the software doesn’t concentrate on any authentication functionality, which requires a verifiable identity or utilizes a substantial amount of resources.
Root Cause: Occurs when the software doesn’t perform an authorization verification, when a user attempts to perform an action or access a resource. Due to this, users are allowed to perform an action or access a resource, which shouldn’t be permitted. It results in problems like DoS, information exposure and arbitrary code execution.
7.Use Of Hard-Coded Credentials
Root Cause: Occurs, when the software includes hard-coded credentials like cryptographic keys or password that are involved in internal data encryption, inbound authentication, and outbound communication. The hard-coded credentials generally make a hole, which allows the attackers to compromise the authentication, which has been built by the administrator.
8. Missing Encryption Of Sensitive Data