Fortify扫描 -- 软件安全错误的分类

软件安全错误分类

  • Input Validation and Representation: 输入验证和表示
  • API Abuse: API滥用
  • Security Features: 安全功能
  • Time and State: 时间和国家
  • Errors: 错误
  • Code Quality: 代码质量
  • Encapsulation: 封装

1 Input Validation and Representation(输入验证和表示)

输入验证和表示问题是由元字符,备用编码和数字表示引起的。 信任输入导致安全问题。 问题包括:缓冲区溢出,跨站点脚本***,SQL注入以及许多其他问题

功能模块 扫描项
Input Validation and Representation Buffer Overflow
Input Validation and Representation Command Injection
Input Validation and Representation Cross-Site Scripting
Input Validation and Representation Format String
Input Validation and Representation HTTP Response Splitting
Input Validation and Representation Illegal Pointer Value
Input Validation and Representation Integer Overflow
Input Validation and Representation Log Forging
Input Validation and Representation Path Manipulation
Input Validation and Representation Process Control
Input Validation and Representation Resource Injection
Input Validation and Representation Setting Manipulation
Input Validation and Representation SQL Injection
Input Validation and Representation String Termination Error
Input Validation and Representation Struts: Duplicate Validation Forms
Input Validation and Representation Struts: Form Bean Does Not Extend Validation Class
Input Validation and Representation Struts: Form Field Without Validator
Input Validation and Representation Struts: Plug-in Framework Not In Use
Input Validation and Representation Struts: Unused Validation Form
Input Validation and Representation Struts: Unvalidated Action Form
Input Validation and Representation Struts: Validator Turned Off
Input Validation and Representation Struts: Validator Without Form Field
Input Validation and Representation Unsafe JNI
Input Validation and Representation Unsafe Reflection
Input Validation and Representation XML Validation

2 API Abuse

功能模块 扫描项
API Abuse Dangerous Function
API Abuse Directory Restriction
API Abuse Heap Inspection
API Abuse J2EE Bad Practices: getConnection()
API Abuse J2EE Bad Practices: Sockets
API Abuse Often Misused: Authentication
API Abuse Often Misused: Exception Handling
API Abuse Often Misused: File System
API Abuse Often Misused: Privilege Management
API Abuse Often Misused: Strings
API Abuse Unchecked Return Value

3 Security Features

功能模块 扫描项
Security Features Insecure Randomness
Security Features Least Privilege Violation
Security Features Missing Access Control
Security Features Password Management
Security Features Password Management: Empty Password in Config File
Security Features Password Management: Hard-Coded Password
Security Features Password Management: Password in Config File
Security Features Password Management: Weak Cryptography
Security Features Privacy Violation

4 Time and State

功能模块 扫描项
Time and State Deadlock
Time and State Failure to Begin a New Session upon Authentication
Time and State File Access Race Condition: TOCTOU
Time and State Insecure Temporary File
Time and State J2EE Bad Practices: System.exit()
Time and State J2EE Bad Practices: Threads
Time and State Signal Handling Race Conditions

5 Errors

功能模块 扫描项
Errors Catch NullPointerException
Errors Empty Catch Block
Errors Overly-Broad Catch Block
Errors Overly-Broad Throws Declaration

6 Code Quality

功能模块 扫描项
Code Quality Double Free
Code Quality Inconsistent Implementations
Code Quality Memory Leak
Code Quality Null Dereference
Code Quality Obsolete
Code Quality Undefined Behavior
Code Quality Uninitialized Variable
Code Quality Unreleased Resource
Code Quality Use After Free

7 Encapsulation

功能模块 扫描项
Encapsulation Comparing Classes by Name
Encapsulation Data Leaking Between Users
Encapsulation Leftover Debug Code
Encapsulation Mobile Code: Object Hijack
Encapsulation Mobile Code: Use of Inner Class
Encapsulation Mobile Code: Non-Final Public Field
Encapsulation Private Array-Typed Field Returned From a Public Method
Encapsulation Public Data Assigned to Private Array-Typed Field
Encapsulation System Information Leak
Encapsulation Trust Boundary Violation

转载于:https://blog.51cto.com/huaweicainiao/2328458

你可能感兴趣的:(Fortify扫描 -- 软件安全错误的分类)