The SANS Top 25 Most Dangerous Software Errors is a list maintained here that describes software weaknesses that have high risk for creating security issues. This list does overlap somewhat with the OWASP Top 10, and members of OWASP were involved in creating the list.
When it comes to web applications, many of these software errors can be detected and protected with web application protection, including the Alert Logic® web application firewall (WAF).
Insecure Interactions Between Components
CWE ID |
Name |
Addressed via the Alert Logic WAF? |
CWE-89 |
Improper Neutralization of Special Elements used in an SQL Command |
Yes – also included in OWASP Top 10
Covered with negative rules (signatures) and positive rules (learning and tuning) |
CWE-78 |
Improper Neutralization of Special Elements used in an OS Command |
Yes – also included in OWASP Top 10
Covered with negative rules (signatures) and positive rules (learning and tuning) |
CWE-79 |
Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) |
Yes – also included in OWASP Top 10
Covered with negative rules (signatures) and positive rules (learning and tuning) |
CWE-434 |
Unrestricted Upload of File with Dangerous Type |
Somewhat – we do have the ability to limit upload sizes, and you could potentially have custom signatures for some additional coverage |
CWE-352 |
Cross-Site Request Forgery (CSRF) |
Yes – also included in OWASP Top 10
Covered with session validation (configuration and tuning) |
CWE-601 |
URL Redirection to Untrusted Site (Open Redirect) |
Yes – also included in OWASP Top 10
Covered with redirect validation (configuration and tuning) |
Risky Resource Management
CWE ID |
Name |
Covered by Alert Logic WAF? |
CWE-120 |
Buffer Copy without Checking Size of Input (Classic Buffer Overflow) |
Attacks we can detect will be covered with negative rules (signatures) |
CWE-22 |
Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) |
Attacks we can detect will be covered with negative rules (signatures) |
CWE-494 |
Download of Code Without Integrity Check |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-829 |
Inclusion of Functionality from Untrusted Control Sphere |
Partially, remote file inclusion attacks will be covered with negative rules (signatures) and validation |
CWE-676 |
Use of Potentially Dangerous Function |
Not something traditionally detectable through client to server, unless via remote file inclusion
Achieved via the application learning engine and positive security model |
CWE-131 |
Incorrect Calculation of Buffer Size |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-134 |
Uncontrolled Format String |
Attacks we can detect will be covered with negative rules (signatures) |
CWE-190 |
Integer Overflow or Wraparound |
Likely can be covered with positive validation (configuration and tuning) |
Porous Defenses
CWE ID |
Name |
Covered by Alert Logic WAF? |
CWE-306 |
Missing Authentication for Critical Function |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-862 |
Missing Authorization |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-798 |
Use of Hard-Coded Credentials |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-311 |
Missing Encryption of Sensitive Data |
Can leverage Web Security Manager to encrypt traffic
Can apply data masking rules to private data so that it is not included in any stored logs |
CWE-807 |
Reliance on Untrusted Inputs in a Security Decision |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-250 |
Execution with Unnecessary Privileges |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-863 |
Incorrect Authorization |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-732 |
Incorrect Permission Assignment for Critical Resource |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-327 |
Use of Broken or Risky Cryptographic Algorithm |
Can leverage Web Security Manager to encrypt traffic with non-risk/broken algorithms
Attacks may be detectable through log data with Log Manager |
CWE-307 |
Improper Restriction of Excessive Authentication Attempts |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
CWE-759 |
Use of a One-Way Hash without a Salt |
Not something traditionally detectable through client to server
Achieved via the application learning engine and positive security model |
Comments
0 comments
Please sign in to leave a comment.