Common Architectural Weakness Enumeration (CAWE) - PDF document

lucinda . @lucinda

346 views
Uploaded On 2021-01-05

Common Architectural Weakness Enumeration (CAWE) - PPT Presentation

PI MEHDI MIRAKHORLI PRESENTER JOANNA C S SANTOS Security Architecture WeaknessesDesign decisions for satisfying security requirements are based on wellknown security tacticsSecurity Tactics are ID: 827362

x0000 security cawe architectural security x0000 architectural cawe architecture xagin xatio design xter foo common typ xype xsubt bbo

Link:

Copy

Embed:

<iframe width="560" height="315" src="https://www.docslides.com/embed/827362" frameborder="0" allowfullscreen></iframe>

Download Presentation from below link

Download Pdf The PPT/PDF document "Common Architectural Weakness Enumeratio..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.

Presentation Transcript

Common Architectural Weakness Enumeratio
Common Architectural Weakness Enumeration (CAWE)PI: MEHDI MIRAKHORLIPRESENTER: JOANNA C. S. SANTOSSecurity Architecture WeaknessesDesign decisions for satisfying security requirements are based on wellknown security tacticsSecurity Tactics are reusable mechanismsfor detecting, resisting, reacting to or recovering fr

om attacksWhen security tactics are not
om attacksWhen security tactics are not properly applied or implemented, it can lead to some breaches in the security architectureWe refer to these types of breaches as architectural weaknessesArchitectural Weaknesses Bugs��3&#x/BBo;&#xx [3;.1;Ƒ ;̰.;ࡖ ;݃.;ᤒ&#x 365;&#x.224; ]/

;&#xSubt;&#xype ;&#x/Foo;&#xter ;&#x/Typ
;&#xSubt;&#xype ;&#x/Foo;&#xter ;&#x/Typ; /P; gin; tio;&#xn 00;&#x/BBo;&#xx [3;.1;Ƒ ;̰.;ࡖ ;݃.;ᤒ&#x 365;&#x.224; ]/;&#xSubt;&#xype ;&#x/Foo;&#xter ;&#x/Typ; /P; gin; tio;&#xn 00;ARCHITECTURAL WEAKNESSESBUGSString aStringObject obj= (Integer) aString;ServerAttackerClient

lientside AuthenticationIncorrect type
lientside AuthenticationIncorrect type castImproper Certificate Expiration VerificationDuring design activitiesDuring coding activitiesProgramming errorsbugs��Not many examplesArchitectural Weaknesses BugsA catalog of knownweaknessesrooted in the design or implementation of a security architectureCom

mon Architectural Weakness Enumeration (
mon Architectural Weakness Enumeration (CAWE)Research Scope��MotivationThisResearchobtainmoreinsightaboutthetypescharacteristicscommonsecurityarchitectureweaknessesduringdesigncodeactivitiesResearch QuestionsRQ1: What common security issues are rooted in the software architecture?RQ2: What ecurity tac

tics are more likely to have associated
tics are more likely to have associated vulnerabilitiesCAWE Creation ProcessVersion 2.9entries)Nonarchitecture related CWEsCWEs Related to Security TacticsatalogPeer ReviewManual Categorization7CAWEsSecurity TacticsOverview of the CAWEhttp://design.se.rit.edu/catalog8(...)(...)(...)CWE EntryTitle: Exposu

re of Data Element to Wrong Session (CWE
re of Data Element to Wrong Session (CWEDescription: The product does not sufficiently enforce boundaries between the states of different sessions, causing data to be provided to, or used by, the wrong session. (...) Common Consequences: Confidentiality (Technical Impact: Read Application Data)Demonstrative Example

classGuestBookextendsHttpServletString
classGuestBookextendsHttpServletString nameprotectedvoiddoPost(...)name reqgetParameter"name"...outprintlnname ", thanks for visiting!"Potential Mitigations: Architecture and Design Phase: Protect the application's sessions from information leakage. (…)Testing Phase: Use a static analysis tool to scan the code f

or information leakage vulnerabilities (
or information leakage vulnerabilities (…). Attack Patterns: CAPEC59 Session Credential Falsification through Prediction; CAPEC60 Reusing Session IDs (aka Session Replay)(…)An Example of a CAWE EntryNameManage User SessionsDescriptionRetains the information or status about each user and his/her access

rights for the duration of multiple re
rights for the duration of multiple requestsImpacted TacticDesign FlawRQ1: What common security issues are rooted in the software architecture?��10&#x/BBo;&#xx [3;.80;4 3;G.4; ;Ʉ.;掉&#x 456;&#x.927; ]/;&#xSubt;&#xype ;&#x/Foo;&#xter ;&#x/Typ; /P; gin; tio;&#xn

00;&#x/BBo;&#xx [3;.80;4 3;
00;&#x/BBo;&#xx [3;.80;4 3;G.4; ;Ʉ.;掉&#x 456;&#x.927; ]/;&#xSubt;&#xype ;&#x/Foo;&#xter ;&#x/Typ; /P; gin; tio;&#xn 00;224security issues rooted in the software architecture:RQ2: What Security Tactics are More Likely to Have Associated Vulnerabilities?Security Tactic# CAWEsAudi

tAuthenticate Actors29Authorize Actors60
tAuthenticate Actors29Authorize Actors60Cross CuttingEncrypt Data38Identify Actors12Limit AccessLimit ExposureLock ComputerManage User SessionsValidate Inputs39Verify Message Integrity10Total 22411Integrating with the MITRE WebsiteFor example: CWE353 Missing Support for Integrity Check12Authorize ActorsHas the highe

st number of potential flaws (CAWEs)�
st number of potential flaws (CAWEs)��13&#x/BBo;&#xx [8;.73;Y 1;p.4;Җ ;Ѣ.;頑&#x 199;&#x.832; ]/;&#xSubt;&#xype ;&#x/Foo;&#xter ;&#x/Typ; /P; gin; tio;&#xn 00;&#x/BBo;&#xx [8;.73;Y 1;p.4;Җ ;Ѣ.;頑&#x 199;&#x.832; ]/;&#xSubt;&#xype ;&#x/Foo;&#xter

;&#x/Typ; /P; gin; tio;&#xn 0
;&#x/Typ; /P; gin; tio;&#xn 00;Architectural Weaknesses categorized among security tactics224 out of 727An artifact for practitionersresearch communityAvailable at: http://design.se.rit.edu/catalog CAWE CatalogCommon Architectural Weakness Enumeration (CAWE)PI: MEHDI MIRAKHORLIPRESENTER: JOANNA C. S. SA

Common Architectural Weakness Enumeration (CAWE) - PDF document

Common Architectural Weakness Enumeration (CAWE) - PPT Presentation

Share:

Link:

Embed:

Related Contents