search

4 :Insecure Design

Un diseño seguro aún puede tener defectos de implementación que generen vulnerabilidades que pueden explotarse. Un diseño inseguro no puede solucionarse mediante una implementación perfecta ya que, por definición, nunca se crearon los controles de seguridad necesarios para defenderse contra ataques específicos. Uno de los factores que contribuye al diseño inseguro es la falta de un perfil de riesgo empresarial inherente al software o sistema que se está desarrollando y, por tanto, la imposibilidad de determinar qué nivel de diseño de seguridad se requiere.

hashtag
Lista de Mapeados CWEs

CWE-73 External Control of File Name or Patharrow-up-right

CWE-183 Permissive List of Allowed Inputsarrow-up-right

CWE-209 Generation of Error Message Containing Sensitive Informationarrow-up-right

CWE-213 Exposure of Sensitive Information Due to Incompatible Policiesarrow-up-right

CWE-235 Improper Handling of Extra Parametersarrow-up-right

CWE-256 Unprotected Storage of Credentialsarrow-up-right

CWE-257 Storing Passwords in a Recoverable Formatarrow-up-right

CWE-266 Incorrect Privilege Assignmentarrow-up-right

CWE-269 Improper Privilege Managementarrow-up-right

CWE-280 Improper Handling of Insufficient Permissions or Privilegesarrow-up-right

CWE-311 Missing Encryption of Sensitive Dataarrow-up-right

CWE-312 Cleartext Storage of Sensitive Informationarrow-up-right

CWE-313 Cleartext Storage in a File or on Diskarrow-up-right

CWE-316 Cleartext Storage of Sensitive Information in Memoryarrow-up-right

CWE-419 Unprotected Primary Channelarrow-up-right

CWE-430 Deployment of Wrong Handlerarrow-up-right

CWE-434 Unrestricted Upload of File with Dangerous Typearrow-up-right

CWE-444 Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')arrow-up-right

CWE-451 User Interface (UI) Misrepresentation of Critical Informationarrow-up-right

CWE-472 External Control of Assumed-Immutable Web Parameterarrow-up-right

CWE-501 Trust Boundary Violationarrow-up-right

CWE-522 Insufficiently Protected Credentialsarrow-up-right

CWE-525 Use of Web Browser Cache Containing Sensitive Informationarrow-up-right

CWE-539 Use of Persistent Cookies Containing Sensitive Informationarrow-up-right

CWE-579 J2EE Bad Practices: Non-serializable Object Stored in Sessionarrow-up-right

CWE-598 Use of GET Request Method With Sensitive Query Stringsarrow-up-right

CWE-602 Client-Side Enforcement of Server-Side Securityarrow-up-right

CWE-642 External Control of Critical State Dataarrow-up-right

CWE-646 Reliance on File Name or Extension of Externally-Supplied Filearrow-up-right

CWE-650 Trusting HTTP Permission Methods on the Server Sidearrow-up-right

CWE-653 Insufficient Compartmentalizationarrow-up-right

CWE-656 Reliance on Security Through Obscurityarrow-up-right

CWE-657 Violation of Secure Design Principlesarrow-up-right

CWE-799 Improper Control of Interaction Frequencyarrow-up-right

CWE-807 Reliance on Untrusted Inputs in a Security Decisionarrow-up-right

CWE-840 Business Logic Errorsarrow-up-right

CWE-841 Improper Enforcement of Behavioral Workflowarrow-up-right

CWE-927 Use of Implicit Intent for Sensitive Communicationarrow-up-right

CWE-1021 Improper Restriction of Rendered UI Layers or Framesarrow-up-right

CWE-1173 Improper Use of Validation Frameworkarrow-up-right

Recursos

LogoA04 Insecure Design - OWASP Top 10:2021owasp.orgchevron-right
Anterior3 :InyecciónSiguiente5 :Security Misconfiguration

Última actualización