Fortify扫描 -- 软件安全错误的分类

软件安全错误分类

• Input Validation and Representation: 输入验证和表示
• API Abuse: API滥用
• Security Features: 安全功能
• Time and State: 时间和国家
• Errors: 错误
• Code Quality: 代码质量
• Encapsulation: 封装

1 Input Validation and Representation(输入验证和表示)

输入验证和表示问题是由元字符，备用编码和数字表示引起的。 信任输入导致安全问题。 问题包括：缓冲区溢出，跨站点脚本***，SQL注入以及许多其他问题

功能模块	扫描项
Input Validation and Representation	Buffer Overflow
Input Validation and Representation	Command Injection
Input Validation and Representation	Cross-Site Scripting
Input Validation and Representation	Format String
Input Validation and Representation	HTTP Response Splitting
Input Validation and Representation	Illegal Pointer Value
Input Validation and Representation	Integer Overflow
Input Validation and Representation	Log Forging
Input Validation and Representation	Path Manipulation
Input Validation and Representation	Process Control
Input Validation and Representation	Resource Injection
Input Validation and Representation	Setting Manipulation
Input Validation and Representation	SQL Injection
Input Validation and Representation	String Termination Error
Input Validation and Representation	Struts: Duplicate Validation Forms
Input Validation and Representation	Struts: Form Bean Does Not Extend Validation Class
Input Validation and Representation	Struts: Form Field Without Validator
Input Validation and Representation	Struts: Plug-in Framework Not In Use
Input Validation and Representation	Struts: Unused Validation Form
Input Validation and Representation	Struts: Unvalidated Action Form
Input Validation and Representation	Struts: Validator Turned Off
Input Validation and Representation	Struts: Validator Without Form Field
Input Validation and Representation	Unsafe JNI
Input Validation and Representation	Unsafe Reflection
Input Validation and Representation	XML Validation

2 API Abuse

功能模块	扫描项
API Abuse	Dangerous Function
API Abuse	Directory Restriction
API Abuse	Heap Inspection
API Abuse	J2EE Bad Practices: getConnection()
API Abuse	J2EE Bad Practices: Sockets
API Abuse	Often Misused: Authentication
API Abuse	Often Misused: Exception Handling
API Abuse	Often Misused: File System
API Abuse	Often Misused: Privilege Management
API Abuse	Often Misused: Strings
API Abuse	Unchecked Return Value

3 Security Features

功能模块	扫描项
Security Features	Insecure Randomness
Security Features	Least Privilege Violation
Security Features	Missing Access Control
Security Features	Password Management
Security Features	Password Management: Empty Password in Config File
Security Features	Password Management: Hard-Coded Password
Security Features	Password Management: Password in Config File
Security Features	Password Management: Weak Cryptography
Security Features	Privacy Violation

4 Time and State

功能模块	扫描项
Time and State	Deadlock
Time and State	Failure to Begin a New Session upon Authentication
Time and State	File Access Race Condition: TOCTOU
Time and State	Insecure Temporary File
Time and State	J2EE Bad Practices: System.exit()
Time and State	J2EE Bad Practices: Threads
Time and State	Signal Handling Race Conditions

5 Errors

功能模块	扫描项
Errors	Catch NullPointerException
Errors	Empty Catch Block
Errors	Overly-Broad Catch Block
Errors	Overly-Broad Throws Declaration

6 Code Quality

功能模块	扫描项
Code Quality	Double Free
Code Quality	Inconsistent Implementations
Code Quality	Memory Leak
Code Quality	Null Dereference
Code Quality	Obsolete
Code Quality	Undefined Behavior
Code Quality	Uninitialized Variable
Code Quality	Unreleased Resource
Code Quality	Use After Free

7 Encapsulation

功能模块	扫描项
Encapsulation	Comparing Classes by Name
Encapsulation	Data Leaking Between Users
Encapsulation	Leftover Debug Code
Encapsulation	Mobile Code: Object Hijack
Encapsulation	Mobile Code: Use of Inner Class
Encapsulation	Mobile Code: Non-Final Public Field
Encapsulation	Private Array-Typed Field Returned From a Public Method
Encapsulation	Public Data Assigned to Private Array-Typed Field
Encapsulation	System Information Leak
Encapsulation	Trust Boundary Violation

转载于:https://blog.51cto.com/huaweicainiao/2328458