RC
Uploaded byRebecca Craine
PPTX, PDF76 views

Common Sofftware Errors

FindBugs uses static analysis to inspect Java bytecode for bug patterns without executing the program. It looks for bugs that arise from difficult language features, API misuse, code modifications, and mistakes. The tool matches Common Weakness Enumerations including SQL injection and deserialization of untrusted data. The Java decompiler aims to decompile Java bytecode from version 5 and later. It has different options for command line use, a graphical user interface, and plugins for Eclipse and IntelliJ IDEs. The GUI allows browsing source code from .class files. Common weaknesses in Java that could be exploited include null pointer exception handling, trust of system events without authentication, race conditions from improper synchronization, omitted break statements

Embed presentation

Download to read offline
REG By: Nicole Gaehle, Omar Salih, Katrina Clark, Will Smith, and Rebecca Craine
FindBugs
Tool: FindBugs ➢ FindBugs uses static analysis to inspect Java bytecode for occurrences of bug patterns. Static analysis means that FindBugs can find bugs by simply inspecting a program's code: executing the program is not necessary. ➢ FindBugs looks for bugs in Java programs. It is based on the concept of bug patterns. A bug pattern is a code idiom that is often an error. Bug patterns arise for a variety of reasons: ➢ Difficult language features ➢ Misunderstood API methods ➢ Misunderstood invariants when code is modified during maintenance ➢ Garden variety mistakes: typos, use of the wrong boolean operator ➢ Matched the following CWEs: ○ 89 ○ 395 ○ 502
Java Decompiler
Tool: Java Decompiler ➢ The java decompiler aims to develop tools in order to decompile and analyze Java 5 “byte code” and later versions. ➢ It has four different options in which you can download to utilize the tool: ○ JD-Core ○ JD-GUI ○ JD-Eclipse ○ JD-IntelliJ ➢ JD-GUI: ○ - a standalone graphical utility that displays Java source codes of “.class” files. Ability to browse the
14 CWEs on Java 1. CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference** 2. CWE-360: Trust of System Event Data** 3. CWE-821: Incorrect Synchronization** 4. CWE-484: Omitted Break Statement in Switch** 5. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')** 6. CWE-545: Use of Dynamic Class Loading** 7. CWE-502: Deserialization of Untrusted Data** 8. CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 9. CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context 10. CWE-103: Struts: Incomplete validate() Method Definition 11. CWE-497: Exposure of System Data to an Unauthorized Control Sphere 12. CWE-299: Improper Check for Certificate Revocation 13. CWE-496: Public Data Assigned to Private Array-Typed Field 14. CWE-767 Access to Critical Private Variable via Public Method **Notes Exploits Shown in Presentation
CWEs: How to Exploit CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference ➢NullPointerException has the potential to be malicious since a programmer should not be running into this code. ➢This is only acceptable if the code is part of a test harness that supplies unexpected input to the classes under test. ➢It is a bad practice to catch NullPointerException due to the fact that a program explicitly throws a NullPointerException to signal an error condition. https://cwe.mitre.org/data/definitions/395.html https://www.owasp.org/index.php/Catch_NullPointerException
Example of CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference
CWEs: How to Exploit CWE-360: Trust of System Event Data ➢This can simply be malicious to the end-user because events cannot be trusted. ➢Events often does not have any type of authentication framework to allow them to be verified from a trusted source. ➢One should not trust the system-event information because if commands are executed based on trust then they could potentially take actions based on a spoofed identity. https://cwe.mitre.org/data/definitions/360.html
Example of CWE 360: Trust of System Event Data
CWEs: How to Exploit CWE-821: Incorrect Synchronization ➢The software utilizes a shared resource in a concurrent manner but it does not correctly synchronize access to the resource. ➢It modifies and reads the applications data and alters the execution logic. Basically it affects integrity and confidentiality. ➢It can be malicious if the attacker can influence the source code the end-user is sharing. https://cwe.mitre.org/data/definitions/821.html
Example of CWE-821: Incorrect Synchronization
CWEs: How to Exploit CWE-484: Omitted Break Statement in Switch ➢Write a switch statement ➢Don’t include a switch or break statement between cases. ➢This will cause the code to execute on multiple conditions instead of one which can cause malicious code to be inserted Bad Code: Good Code:
Example of CWE-484: Omitted Break Statement in Switch
CWEs: How to Exploit CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ➢SQL injection used to modify a web site to serve malicious code ➢Can bypass the requirement to only return items owned by authenticated user ➢Shell command execution in MS SQL http://cwe.mitre.org/data/definitions/89.html
Example of CWE 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWEs: How to Exploit CWE-545: Use of Dynamic Class Loading ➢Dynamically loaded code has the potential to be malicious. ➢When it can be introduced in the architecture and design and implementation. ➢Avoid the use of class loading as it complicates code analysis. https://cwe.mitre.org/data/definitions/545.html
Example of CWE-545 Dynamic Class Loading
CWEs: How to Exploit CWE-502: Deserialization of Untrusted Data ➢This exploit deserializes untrusted data without sufficiently verifying that the resulting data will be valid. ➢Exploit can be introduced during Architecture, Design and Implementation ➢To avoid security issues with the data a hash-based message authentication code could be used to ensure that data has not been modified. https://cwe.mitre.org/data/definitions/502.htmlBad Code Good Code
Example of CWE - 502 Deserialization of Untrusted Data
Conclusion ➢Everything has a vulnerability, weakness, or bug that can be exploited. ➢BE CAREFUL WITH WHAT YOU DO!!!!!!!!!! ➢Questions?

More Related Content

PPTX
Python selenium
byDucat
 
PPTX
Reverse Engineering Project
byNicole Gaehle, MSIST
 
PDF
Breaking The Framework's Core #PHPKonf 2016
byMehmet Ince
 
PDF
Python Testing 101 with Selenium
byLeonardo Jimenez
 
PPTX
Secure Programming In Php
byAkash Mahajan
 
PPTX
jDriver Presentation
byfreelancer_testautomation
 
PPT
[Php Camp]Owasp Php Top5+Csrf
byBipin Upadhyay
 
PDF
Metasploit primary
byn|u - The Open Security Community
 
Python selenium
byDucat
 
Reverse Engineering Project
byNicole Gaehle, MSIST
 
Breaking The Framework's Core #PHPKonf 2016
byMehmet Ince
 
Python Testing 101 with Selenium
byLeonardo Jimenez
 
Secure Programming In Php
byAkash Mahajan
 
jDriver Presentation
byfreelancer_testautomation
 
[Php Camp]Owasp Php Top5+Csrf
byBipin Upadhyay
 
Metasploit primary
byn|u - The Open Security Community
 

What's hot

PPT
Selenium
byKalyan ch
 
PPT
Selenium
byRuturaj Doshi
 
ODP
Automated UI testing with Selenium
byYuriy Gerasimov
 
PDF
Jenkins with SonarQube
bySomkiat Puisungnoen
 
DOCX
Selenium interview Q&A
byPavan Kumar
 
ODP
Automated UI testing. Selenium. DrupalCamp Kyiv 2011
byYuriy Gerasimov
 
PPT
Selenium ppt
byPavan Kumar
 
PDF
Selenium Tutorial
byprad_123
 
PPTX
Selenium- A Software Testing Tool
byZeba Tahseen
 
PDF
Automatic Functional Testing with Selenium and SauceLabs
byJoseph Chiang
 
PDF
Selenium Test Automation - Challenges
byArul Selvan
 
PPTX
Smarter ways to do selenium automation @ work, Selenium, automation
byRIA RUI Society
 
PPTX
Continuous Delivery concept overview. Continuous Integration Systems. DevOps ...
byeleksdev
 
PPT
Selenium
byguest5800577
 
ODP
Mastering selenium for automated acceptance tests
byNick Belhomme
 
PDF
Introduction to Automation Testing and Selenium overiew
byDisha Srivastava
 
PPT
Selenium2 and Jenkins: Almost pain-free UI Testing
bymikereedell
 
PDF
Jenkins & Selenium
byadamcarmi
 
PPTX
Selenium test automation
bySrikanth Vuriti
 
PPT
Selenium
byjagdishdevabhaipatel
 
Selenium
byKalyan ch
 
Selenium
byRuturaj Doshi
 
Automated UI testing with Selenium
byYuriy Gerasimov
 
Jenkins with SonarQube
bySomkiat Puisungnoen
 
Selenium interview Q&A
byPavan Kumar
 
Automated UI testing. Selenium. DrupalCamp Kyiv 2011
byYuriy Gerasimov
 
Selenium ppt
byPavan Kumar
 
Selenium Tutorial
byprad_123
 
Selenium- A Software Testing Tool
byZeba Tahseen
 
Automatic Functional Testing with Selenium and SauceLabs
byJoseph Chiang
 
Selenium Test Automation - Challenges
byArul Selvan
 
Smarter ways to do selenium automation @ work, Selenium, automation
byRIA RUI Society
 
Continuous Delivery concept overview. Continuous Integration Systems. DevOps ...
byeleksdev
 
Selenium
byguest5800577
 
Mastering selenium for automated acceptance tests
byNick Belhomme
 
Introduction to Automation Testing and Selenium overiew
byDisha Srivastava
 
Selenium2 and Jenkins: Almost pain-free UI Testing
bymikereedell
 
Jenkins & Selenium
byadamcarmi
 
Selenium test automation
bySrikanth Vuriti
 
Selenium
byjagdishdevabhaipatel
 

Similar to Common Sofftware Errors

PDF
Top 10 Bad Coding Practices Lead to Security Problems
byNarudom Roongsiriwong, CISSP
 
PPTX
No liftoff, touchdown, or heartbeat shall miss because of a software failure
byRogue Wave Software
 
PDF
How Can PVS-Studio Help in the Detection of Vulnerabilities?
byPVS-Studio
 
PPTX
Top 8 CWE (Common Weakness Enumeration).pptx
byVijay Kumar Peshkar
 
PDF
How the CC Harmonizes with Secure Software Development Lifecycle
bySeungjoo Kim
 
PDF
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
byAndrey Karpov
 
PPTX
Static analysis works for mission-critical systems, why not yours?
byRogue Wave Software
 
PDF
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
byOrtus Solutions, Corp
 
PDF
Secure Programming And Common Errors[Michele Orru Dec 2008]
byMichele Orru'
 
PDF
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
byPôle Systematic Paris-Region
 
PPTX
Static analysis and writing C/C++ of high quality code for embedded systems
byAndrey Karpov
 
PPTX
CVE_vs_CWE_Lecture_Presentation 1234.pptx
bybilalaptech14
 
PPTX
Static code analyzers as a DevSecOps solution
byAndrey Karpov
 
PDF
Finding Resource Manipulation Bugs in Linux Code
byAndrzej Wasowski
 
PDF
findbugs Bernhard Merkle
bybmerkle
 
PDF
Akka: Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through Ac...
byJonas Bonér
 
PPTX
Exceptions in Java
byVadym Lotar
 
PDF
Secure Programming With Static Analysis
byConSanFrancisco123
 
PPTX
Programming languages and techniques for today’s embedded andIoT world
byRogue Wave Software
 
PPTX
How to fix bug or defects in software
byRajasekar Subramanian
 
Top 10 Bad Coding Practices Lead to Security Problems
byNarudom Roongsiriwong, CISSP
 
No liftoff, touchdown, or heartbeat shall miss because of a software failure
byRogue Wave Software
 
How Can PVS-Studio Help in the Detection of Vulnerabilities?
byPVS-Studio
 
Top 8 CWE (Common Weakness Enumeration).pptx
byVijay Kumar Peshkar
 
How the CC Harmonizes with Secure Software Development Lifecycle
bySeungjoo Kim
 
PVS-Studio Static Analyzer as a Tool for Protection against Zero-Day Vulnerab...
byAndrey Karpov
 
Static analysis works for mission-critical systems, why not yours?
byRogue Wave Software
 
ITB_2023_25_Most_Dangerous_Software_Weaknesses_Pete_Freitag.pdf
byOrtus Solutions, Corp
 
Secure Programming And Common Errors[Michele Orru Dec 2008]
byMichele Orru'
 
Mise en œuvre des méthodes de vérification de modèle et d'analyse statique de...
byPôle Systematic Paris-Region
 
Static analysis and writing C/C++ of high quality code for embedded systems
byAndrey Karpov
 
CVE_vs_CWE_Lecture_Presentation 1234.pptx
bybilalaptech14
 
Static code analyzers as a DevSecOps solution
byAndrey Karpov
 
Finding Resource Manipulation Bugs in Linux Code
byAndrzej Wasowski
 
findbugs Bernhard Merkle
bybmerkle
 
Akka: Simpler Scalability, Fault-Tolerance, Concurrency & Remoting through Ac...
byJonas Bonér
 
Exceptions in Java
byVadym Lotar
 
Secure Programming With Static Analysis
byConSanFrancisco123
 
Programming languages and techniques for today’s embedded andIoT world
byRogue Wave Software
 
How to fix bug or defects in software
byRajasekar Subramanian
 

Recently uploaded

PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
How to build hackthon projects from ZERO!
byishantyadav1111
 
PDF
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
PDF
Designing a Blog Using Wordpress
bymarkzubi50
 
PPTX
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
PDF
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
PDF
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
PDF
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
PDF
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PPTX
NTG - Data Center Management System Software
byMustafa Kuğu
 
PDF
AI and Zero Trust: What it takes to do it right
byMark Simos
 
PPTX
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
PDF
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
PDF
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
PDF
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
PDF
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
PDF
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
How to build hackthon projects from ZERO!
byishantyadav1111
 
The Enterprise Web3 Landscape - a view from Kaleido based on the past 10 year...
byPeter Broadhurst
 
Designing a Blog Using Wordpress
bymarkzubi50
 
Beyond the Algorithm: Designing Human-Centric Public Service with AI
byAlan Dix
 
Dev Dives: Build and deploy agentic automations - the unified way
byUiPathCommunity
 
Why Many Smart Device Platforms Fail to Scale?
byPromeraki Developments
 
UiPath Automation Developer Associate Training Series 2026 - Session 1
byDianaGray10
 
What Is the Azure AI Foundry and Why Does It Matter for Enterprises?
byjohncarterjn
 
TravelTech Paris 2025 | The EU Digital Identity Wallet and it’s impact on Tra...
byapidays
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
NTG - Data Center Management System Software
byMustafa Kuğu
 
AI and Zero Trust: What it takes to do it right
byMark Simos
 
TechSprint Inauguration at SJB Institute of Technology held on 18 December 2025
bysuhasspgdg
 
Startup Formation Collapses While Acquisition Activity Hits New High!
byMemoori
 
Analyze and Preserve Logs - RHCSA (RH134).pdf
byLinuxCert Guru
 
Title Installing Windows, Linux, MacOS.pdf
byGeraldAbadajos
 
Advanced SELinux Management - RHCSA (RH134).pdf
byLinuxCert Guru
 
Getting Started with Apache Spark: Big Data Made Simple [Free Meetup]
byHaim Michael
 
Supercharge Your Copilot-Driven Collaboration with Microsoft 365 Agents SDK
byAntti Koskela
 

Common Sofftware Errors

  • 1.
    REG By: Nicole Gaehle,Omar Salih, Katrina Clark, Will Smith, and Rebecca Craine
  • 2.
  • 3.
    Tool: FindBugs ➢ FindBugsuses static analysis to inspect Java bytecode for occurrences of bug patterns. Static analysis means that FindBugs can find bugs by simply inspecting a program's code: executing the program is not necessary. ➢ FindBugs looks for bugs in Java programs. It is based on the concept of bug patterns. A bug pattern is a code idiom that is often an error. Bug patterns arise for a variety of reasons: ➢ Difficult language features ➢ Misunderstood API methods ➢ Misunderstood invariants when code is modified during maintenance ➢ Garden variety mistakes: typos, use of the wrong boolean operator ➢ Matched the following CWEs: ○ 89 ○ 395 ○ 502
  • 4.
  • 5.
    Tool: Java Decompiler ➢The java decompiler aims to develop tools in order to decompile and analyze Java 5 “byte code” and later versions. ➢ It has four different options in which you can download to utilize the tool: ○ JD-Core ○ JD-GUI ○ JD-Eclipse ○ JD-IntelliJ ➢ JD-GUI: ○ - a standalone graphical utility that displays Java source codes of “.class” files. Ability to browse the
  • 6.
    14 CWEs onJava 1. CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference** 2. CWE-360: Trust of System Event Data** 3. CWE-821: Incorrect Synchronization** 4. CWE-484: Omitted Break Statement in Switch** 5. CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')** 6. CWE-545: Use of Dynamic Class Loading** 7. CWE-502: Deserialization of Untrusted Data** 8. CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 9. CWE-543: Use of Singleton Pattern Without Synchronization in a Multithreaded Context 10. CWE-103: Struts: Incomplete validate() Method Definition 11. CWE-497: Exposure of System Data to an Unauthorized Control Sphere 12. CWE-299: Improper Check for Certificate Revocation 13. CWE-496: Public Data Assigned to Private Array-Typed Field 14. CWE-767 Access to Critical Private Variable via Public Method **Notes Exploits Shown in Presentation
  • 7.
    CWEs: How toExploit CWE-395: Use of NullPointerException Catch to Detect NULL Pointer Dereference ➢NullPointerException has the potential to be malicious since a programmer should not be running into this code. ➢This is only acceptable if the code is part of a test harness that supplies unexpected input to the classes under test. ➢It is a bad practice to catch NullPointerException due to the fact that a program explicitly throws a NullPointerException to signal an error condition. https://cwe.mitre.org/data/definitions/395.html https://www.owasp.org/index.php/Catch_NullPointerException
  • 8.
    Example of CWE-395:Use of NullPointerException Catch to Detect NULL Pointer Dereference
  • 9.
    CWEs: How toExploit CWE-360: Trust of System Event Data ➢This can simply be malicious to the end-user because events cannot be trusted. ➢Events often does not have any type of authentication framework to allow them to be verified from a trusted source. ➢One should not trust the system-event information because if commands are executed based on trust then they could potentially take actions based on a spoofed identity. https://cwe.mitre.org/data/definitions/360.html
  • 10.
    Example of CWE360: Trust of System Event Data
  • 11.
    CWEs: How toExploit CWE-821: Incorrect Synchronization ➢The software utilizes a shared resource in a concurrent manner but it does not correctly synchronize access to the resource. ➢It modifies and reads the applications data and alters the execution logic. Basically it affects integrity and confidentiality. ➢It can be malicious if the attacker can influence the source code the end-user is sharing. https://cwe.mitre.org/data/definitions/821.html
  • 12.
    Example of CWE-821:Incorrect Synchronization
  • 13.
    CWEs: How toExploit CWE-484: Omitted Break Statement in Switch ➢Write a switch statement ➢Don’t include a switch or break statement between cases. ➢This will cause the code to execute on multiple conditions instead of one which can cause malicious code to be inserted Bad Code: Good Code:
  • 14.
    Example of CWE-484:Omitted Break Statement in Switch
  • 15.
    CWEs: How toExploit CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') ➢SQL injection used to modify a web site to serve malicious code ➢Can bypass the requirement to only return items owned by authenticated user ➢Shell command execution in MS SQL http://cwe.mitre.org/data/definitions/89.html
  • 16.
    Example of CWE89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
  • 17.
    CWEs: How toExploit CWE-545: Use of Dynamic Class Loading ➢Dynamically loaded code has the potential to be malicious. ➢When it can be introduced in the architecture and design and implementation. ➢Avoid the use of class loading as it complicates code analysis. https://cwe.mitre.org/data/definitions/545.html
  • 18.
    Example of CWE-545Dynamic Class Loading
  • 19.
    CWEs: How toExploit CWE-502: Deserialization of Untrusted Data ➢This exploit deserializes untrusted data without sufficiently verifying that the resulting data will be valid. ➢Exploit can be introduced during Architecture, Design and Implementation ➢To avoid security issues with the data a hash-based message authentication code could be used to ensure that data has not been modified. https://cwe.mitre.org/data/definitions/502.htmlBad Code Good Code
  • 20.
    Example of CWE- 502 Deserialization of Untrusted Data
  • 21.
    Conclusion ➢Everything has avulnerability, weakness, or bug that can be exploited. ➢BE CAREFUL WITH WHAT YOU DO!!!!!!!!!! ➢Questions?

Editor's Notes

  • #7 Nikki: 395, 496, 360 Rebeca: 103, 545 , 502 Omar: 362, 543, 821 Katrina:767, 484 Will: 497, 89, 299
  • #8 One of the key things that a Java programmer should not run into is the NullPointerException. It is a horrible practice to even catch the NullPointerException because a program might be programmed to explicitly throw the NullPointerException to signal an error condition. The only way any code should catch this CWE is if it were to be a test condition to catch the null pointer exception. The NullPointerException can be caught in three languages which are Java, C++, and C. This particular CWE is the parent to six different CWEs which are CWE 388 Error Handling, CWE 389 Error Conditions Return Values Status Codes, CWE 705 Incorrect Control Flow Scoping, CWE 755 Improper Handling of Exceptional Conditions, CWE 851 CERT Java Secure Coding Section 06 Exceptional Behavior (ERR), and CWE 962 SFP Secondary Cluster: Unchecked Status Condition. The potential mitigation is in the phases of Architecture and Design with implementation. The code above is an example of which should only be in a test environment. Caching the NullPointerException should not be used as an alternative to programmatic checks to prevent dereferencing a null pointer. The only acceptability to this is if the code is part of a test harness in which supplies unexpected input to the classes under the test.
  • #10 Events are a messaging system which may provide control data to programs listening for events. Events do not have any type of authentication framework to allow them to be verified from a trusted source. They are security based on event locations that are insecure and can be spoofed. For example, I could create a picture on a website that you can click on and by you clicking on it I could spoof your identity. The scope of this covers integrity, confidentiality, availability, access, and control. The effect to this scope is that of one trusts the system-event information and executes commands based on it, one could potentially take actions based on spoofed identity. This has a very high likelihood to be exploited. Due to there is no authentication framework for these messages .The mitigations that are potential lye in the phase of architecture and design which means to never trust or rely any of the information in an Event for security. This particular CWE is the parent of CWE 422 Unprotected Windows Messaging Channel (‘Shatter”), and is the child of CWE 345 Insufficient Verification of Data Authenticity, and CWE 949 SFP Secondary Cluster: Faulty Endpoint Authentication. This is applicable to all languages.
  • #12 Incorrect synchronization occurs when a source that is being shared and has not been correctly synchronized with the resource. This can lead to the resource being in an endless state of confusion, which may lead to being to some unexpected and insecure behaviors. Especially if the attacker can influence the shared resources. Incorrect synchronization is a child of CWE-662, improper synchronization. Improper synchronization occurs if software attempts to use a resource exclusively, but does not or incorrectly prevents the use of that resource by another thread or process. This leads to the modification and reading of application data which also alters the execution logic. The parents of incorrect synchronization are CWE-572, call to thread run() instead of start(), and CWE-574, EJB Bad Practices: Use of Synchronization Primitives. CWE-572 is caused when a programmer uses run(), they are not really running the program. In reality the program will execute the run() method versus actually running the call object for start [start()]. As for CWE-574, in JavaBeans specifications, it requires that every project follows the same set of programming guidelines. This requirement is very important if the programmer wants to make the software source code portable to JavaBean installations on other systems. The potential mitigations is in the phase of implementation. This is where the you use the start() method instead of the run() method.
  • #14 The Omitted Break Statement in Switch statements is one that can be easily exploited but one that can be prevented if one takes their time to check the code before executing it. This is a vulnerability found in C++, C#, .NET, PHP and Java code. This CWE is the child of CWE 398 Indicator of Poor Code Quality, CWE 670 Always-Incorrect Control Flow Implementation, CWE 962 SFP Secondary Cluster: Unchecked status condition, and member of CWE 884 CWE Cross-section. This vulnerability occurs when a break or switch statement is omitted between statements. This causes the code to exhibit fall through characteristics. This means that code that was intended to be executed will not be run correctly or at all. There are times where the break statement is intentionally not used to allow the code to fall through. This is not recommended and is still seen as an error in coding. They suggest when omitting a break statement an “if statement” should be used should be used to clarify the meaning of the code and makes sure it executes properly. If you use the fall-through capabilities make sure that you have clearly documented this within the switch statement and ensure that you have examined all the logical possibilities.
  • #16 Software constructs all or part of an SQL command using externally-influenced input without correctly neutralizing special elements that could modify the intended SQL commands. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. This can be used to alter query logic to bypass security checks, or to insert additional statements that modify the back-end database, possibly including execution of system commands. SQL injection has become a common issue with database-driven web sites. Flaws in the software can be easily detected and exploited. This is because SQL makes no real distinction between control and data planes, no matter the size of user base involved. This affects all languages and has a very high likelihood of exploitation. Database server is the technology that it hits. What this has a possible outcome is the following. Loss of confidentiality that may allow sensitive database data to be read, also loss of access control may allow access control measures to be bypassed. Last option is loss of integrity may allow to be modified, delete, or even delete the database itself. May occur at any time of introduction. Ways to detect this is using automated static analysis tools, dynamic tools and techniques that interact with the software, manual analysis bytecode and binary weakness analysis, database web-application and web services scanners, fuzz tester/framework-based fuzzer, and manual source code review/focused manual spot-check analysis of source.
  • #18 Dynamic class loading has the potential to be malicious when it is wrote during the architecture and design phase and also in the implementation phase. This is only for Java. The technical impact executes an unauthorized code or command. An attack executes malicious code that they have included in the loaded class. The code can be executed without calling a specific method if the malicious code is hidden within the static class initializer. In order to avoid this use of the class loading as it greatly complicates code analysis. When the application requires dynamic class loading, it should be well understood and documented. All classes that may be loaded should be predefined and avoid the use of dynamically created classes from byte arrays. There is a relationship between a few other CWEs which are 485, 991 and 884. CWE 485 is insufficient encapsulation, CWE 991 is SFP secondary cluster: tainted input to environment, and CWE 884 is a CWE cross-section. Example of code that would allow for dynamically load a class is the following String className = system.getProperty(“customerclassName”); Class clazz = Class.forName(className); Just make sure that you name what can be loaded so that this error does not happen for your program.
  • #20 Deserialization of untrusted data happens when untrusted data without sufficiently verifying that the resulting data will be valid. It is convenient to save serialize objects for communication or to use for a later date. Desterilized data or code can be modified without using the provided accessor functions if it does not use cryptography to protect itself. Any cryptography would still be client-side security—which is a dangerous security assumption. Data that is untrusted cannot be trusted to be well-formed. Terms that can be associated are marshaling, unmarshaling pickling and unpickling. The time that the issue can be imputed is during architecture and design and implementation. The different languages that can be effected are Java, Ruby, PHP, Python and Language-independent. Common consequences under integrity attackers can modify unexpected objects or data that was assumed to be safe from modification. Under availability if a function is making an assumption on when to terminate, based on a sentry in a string, it could be easily never terminate. Under authorization and other code could potentially make the assumption that information in the deserialized object is valid. Functions that make this dangerous assumptions could be exploited. Ways to make sure that this does not happen are the following. If available, use the signing/sealing features of the programming language to assure that deserialized data has not been tainted. When deserializing data, populate a new object rather than just deserializing. The result is that the data flows through safe input validation and that the functions are safe. Last option is to explicitly define final readObject() to prevent deserialization.