View-1008: Architectural Concepts

ID: 1008

Type: Graph

Status: Incomplete

Objective

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.

Audience

Software Designers

Software designers may find this view useful as the weaknesses are organized by known security tactics, aiding the designer in embedding security throughout the design process instead of discovering weaknesses after the software has been built.

Educators

Educators may use this view as reference material when discussing security by design or architectural weaknesses, and the types of mistakes that can be made.

Membership

CWE-ID title
CWE-1009 审计
CWE-1010 验证参与者
CWE-1011 授权参与者
CWE-1012 交叉切割
CWE-1013 加密数据
CWE-1014 识别参与者
CWE-1015 限制访问
CWE-1016 限制暴露
CWE-1017 锁定计算机
CWE-1018 管理用户会话
CWE-1019 输入验证
CWE-1020 验证消息完整性

Notes

Other

The top level categories in this view represent the individual tactics that are part of a secure-by-design approach to software development. The weaknesses that are members of each category contain information about how each is introduced relative to the software's architecture. Three different modes of introduction are used: Omission - caused by missing a security tactic when it is necessary. Commission - refers to incorrect choice of tactics which could result in undesirable consequences. Realization - appropriate security tactics are adopted but are incorrectly implemented.

Maintenance

This view is under development, and subsequent releases will focus on reviewing the individual weaknesses to verify their inclusion in this view and adding any applicable ChildOf relationships. Comments about revisions are welcome.

引用

REF-9 A Catalog of Security Architecture Weaknesses. REF-10 Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird.