View-1008: Architectural Concepts
ID: 1008
Type: Graph
Status: Incomplete
Objective
This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be made when designing software.
Audience
Software Designers
Software designers may find this view useful as the weaknesses are organized by known security tactics, aiding the designer in embedding security throughout the design process instead of discovering weaknesses after the software has been built.
Educators
Educators may use this view as reference material when discussing security by design or architectural weaknesses, and the types of mistakes that can be made.
Membership
| CWE-ID | title |
|---|---|
| CWE-1009 | 审计 |
| CWE-1010 | 验证参与者 |
| CWE-1011 | 授权参与者 |
| CWE-1012 | 交叉切割 |
| CWE-1013 | 加密数据 |
| CWE-1014 | 识别参与者 |
| CWE-1015 | 限制访问 |
| CWE-1016 | 限制暴露 |
| CWE-1017 | 锁定计算机 |
| CWE-1018 | 管理用户会话 |
| CWE-1019 | 输入验证 |
| CWE-1020 | 验证消息完整性 |
Notes
Other
The top level categories in this view represent the individual tactics that are part of a secure-by-design approach to software development. The weaknesses that are members of each category contain information about how each is introduced relative to the software's architecture. Three different modes of introduction are used: Omission - caused by missing a security tactic when it is necessary. Commission - refers to incorrect choice of tactics which could result in undesirable consequences. Realization - appropriate security tactics are adopted but are incorrectly implemented.
Maintenance
This view is under development, and subsequent releases will focus on reviewing the individual weaknesses to verify their inclusion in this view and adding any applicable ChildOf relationships. Comments about revisions are welcome.
引用
REF-9 A Catalog of Security Architecture Weaknesses. REF-10 Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird.