Three of these vulnerabilities point to a basic lack of good housekeeping: Missing Authentication, Missing Authorization, and Missing Encryption. And three others have to do with erroneous or ill-advised use of application defense techniques, including Incorrect Authorization, Incorrect Permission Assignment, and Improper Restriction of Excess Authentication Attempts.
Risky resource management vulnerabilities
Resource management involves creating, using, transferring, and destroying system resources such as memory. Proper, secure management resource is necessary for effective application defense. The types of security vulnerabilities in the CWE/SANS Top 25 category “Risky Resource Management” are related to ways that the software mismanages resources. These application vulnerabilities range from the classic Buffer Overflow and Path Traversal to the more-sci-fi-sounding Inclusion of Functionality from Untrusted Control Sphere and the ominously named Use of Potentially Dangerous Function.
Defending against these application vulnerabilities boils down to two strategies:
- You must know what inputs you are using and whether they come from known “good” sources.
- You must use those inputs properly for their intended purposes.
Liberal use of sandboxing and whitelisting can help here, but there are no guarantees. Other options include application security testing and vulnerability assessments to uncover these eight types of security vulnerabilities before something goes wrong.
Vulnerabilities related to insecure interaction between components
The category “Insecure Interaction Between Components” has the fewest members of the CWE/SANS Top 25 software errors. But it also contains the most wanted—make that least wanted—list of security vulnerabilities. It’s a well-known rogues gallery bearing names like SQL Injection, Cross-Site Scripting, and Open Redirect.
What do these types of security vulnerabilities all have in common? They’re all related to how “data is sent and received between separate components, modules, programs, processes, threads, or systems.”