Classify the top 25 software weaknesses described below as to whether or not int
ID: 3581466 • Letter: C
Question
Classify the top 25 software weaknesses described below as to whether or not integrity recognition methods could prevent them, and if so what methods.
[1] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
[2] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command
Injection')
[3] CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
[4] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
[5] CWE-306: Missing Authentication for Critical Function
[6] CWE-862: Missing Authorization
[7] CWE-798: Use of Hard-coded Credentials
[8] CWE-311: Missing Encryption of Sensitive Data
[9] CWE-434: Unrestricted Upload of File with Dangerous Type
[10] CWE-807: Reliance on Untrusted Inputs in a Security Decision
[11] CWE-250: Execution with Unnecessary Privileges
[12] CWE-352: Cross-Site Request Forgery (CSRF)
[13] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
[14] CWE-494: Download of Code Without Integrity Check
[15] CWE-863: Incorrect Authorization
[16] CWE-829: Inclusion of Functionality from Untrusted Control Sphere
[17] CWE-732: Incorrect Permission Assignment for Critical Resource
[18] CWE-676: Use of Potentially Dangerous Function
[19] CWE-327: Use of a Broken or Risky Cryptographic Algorithm
[20] CWE-131: Incorrect Calculation of Buffer Size
[21] CWE-307: Improper Restriction of Excessive Authentication Attempts
[22] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
[23] CWE-134: Uncontrolled Format String
[24] CWE-190: Integer Overflow or Wraparound
[25] CWE-759: Use of a One-Way Hash without a Salt
Explanation / Answer
[1] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- This method could be detected using an automated static analysis tools. Effectiveness will be high.
- Manual Analysis can also be used to detect the weakness.
[2] CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- This method could be detected using an automated static analysis tools. Effectiveness will be high.
- Manual Static Analysis can also be used to detect the weakness.
- Automated Dynamic Analysis can also be used.
[3] CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
- This method could be detected using an automated static analysis tools. Effectiveness will be high.
- Manual Analysis can also be used to detect the weakness.
- Automated Dynamic Analysis can also be used.
[4] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Automated Static Analysis can be used to detect weakness. Effectiveness will be moderate.
- Black Box Method. Effectiveness will be moderate.
[5] CWE-306: Missing Authentication for Critical Function
- Manual Analysis can also be used to detect the weakness.
- Automated Static Analysis can be used to detect weakness. Effectiveness will be Limited.
[6] CWE-862: Missing Authorization
- Automated Static Analysis can be used to detect weakness. Effectiveness will be Limited.
- Manual Analysis can also be used to detect the weakness. Effectiveness will be moderate.
[7] CWE-798: Use of Hard-coded Credentials
- Black Box Method. Effectiveness will be moderate.
- Manual Static Analysis can also be used to detect the weakness.
[8] CWE-311: Missing Encryption of Sensitive Data
- Manual Analysis can also be used to detect the weakness. Effectiveness will be high.
- Automatic Analysis can also be used to detect the weakness.
- Manual Static Analysis - Binary / Bytecode.
[9] CWE-434: Unrestricted Upload of File with Dangerous Type
- Dynamic Analysis with automated results interpretation. Effectiveness will be soar partial.
- Manual Static Analysis - Source Code. Effectiveness will be soar high.
[10] CWE-807: Reliance on Untrusted Inputs in a Security Decision
- Manual Static Analysis can also be used to detect the weakness. Effectiveness will be high.
- Automated Static Analysis - Binary / Bytecode. Effectiveness will be soar partial.
[11] CWE-250: Execution with Unnecessary Privileges
- Manual Analysis can be used to detect the weakness.
- Black Box Method.
[12] CWE-352: Cross-Site Request Forgery (CSRF)
- Manual Analysis can also be used to detect the weakness. Effectiveness will be high.
- Automated Static Analysis can also be used to detect the weakness. Effectiveness will be limited.
[13] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Automated Static Analysis can also be used to detect the weakness. Effectiveness will be high.
- anual Static Analysis can also be used to detect the weakness. Effectiveness will be high.
[14] CWE-494: Download of Code Without Integrity Check
- Manual Analysis can be used to detect the weakness.
- Black Box Method.
[15] CWE-863: Incorrect Authorization
- Automated Static Analysis can also be used to detect the weakness. Effectiveness will be limited.
- Automated Dynamic Analysis method.
[16] CWE-829: Inclusion of Functionality from Untrusted Control Sphere
- Automated Static Analysis - Binary / Bytecode. Effectiveness will be soar partial.
- Manual Static Analysis - Binary / Bytecode. Effectiveness will be soar partial.
[17] CWE-732: Incorrect Permission Assignment for Critical Resource
- Automated Static Analysis
- Automated Dynamic Analysis
- Manual Analysis can also be used to detect the weakness.
[18] CWE-676: Use of Potentially Dangerous Function
- Automated Static Analysis - Binary / Bytecode. Effectiveness will be soar high.
- Manual Static Analysis - Binary / Bytecode. Effectiveness will be soar partial.
[19] CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- Automatic Analysis can be used to detect the weakness. Effectiveness will be moderate.
- Manual Analysis can also be used to detect the weakness.
[20] CWE-131: Incorrect Calculation of Buffer Size
- Automated Static Analysis - Binary / Bytecode. Effectiveness will be high.
- Automated Dynamic Analysis. Effectiveness will be moderate.
[21] CWE-307: Improper Restriction of Excessive Authentication Attempts
- Dynamic Analysis with automated results interpretation. Effectiveness will be soar high.
- Dynamic Analysis with manual results interpretation. Effectiveness will be soar high.
[22] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
- Manual Static Analysis - Binary / Bytecode. Effectiveness will be high.
- Automated Dynamic Analysis.
[23] CWE-134: Uncontrolled Format String
- Automated Static Analysis.
- Black Box. Effectiveness will be Limited.
[24] CWE-190: Integer Overflow or Wraparound
- Automated Static Analysis - Binary / Bytecode. Effectiveness will be high.
- Black Box. Effectiveness will be moderate.
[25] CWE-759: Use of a One-Way Hash without a Salt
- Automated Static Analysis - Binary / Bytecode. Effectiveness will be soar partial.
- Manual Static Analysis - Binary / Bytecode. Effectiveness will be soar partial.