🔥🔥 Don’t Miss Out on Our End of Autumn Sale. If you have any questions, feel free to click the bottom right corner to contact our customer service..

Concat us[email protected]
Shopping Cart

No products in the cart.

🔍
BSI PD ISO/IEC TR 24772-1:2019

BSI PD ISO/IEC TR 24772-1:2019

$215.11

Programming languages. Guidance to avoiding vulnerabilities in programming languages – Language-independent guidance

Published By Publication Date Number of Pages
BSI 2019 188
PDF Format Searchable Printable Preview Now
Guaranteed Safe Checkout
Category:

If you have any questions, feel free to reach out to our online customer service team by clicking on the bottom right corner. We’re here to assist you 24/7.
Email:[email protected]

This document specifies software programming language vulnerabilities to be avoided in the development of systems where assured behaviour is required for security, safety, mission-critical and business-critical software. Language-specific descriptions of these vulnerabilities are provided in other parts of the ISO/IEC 24772 series.

It is applicable to the software developed, reviewed, or maintained for any application.

This document does not address software engineering and management issues such as how to design and implement programs, use configuration management tools, use managerial processes, and perform process improvement. Furthermore, the specification of properties and applications to be assured are not treated.

Vulnerabilities are described in a generic manner that is applicable to a broad range of programming languages.

PDF Catalog

PDF Pages PDF Title
2 undefined
17 Foreword
18 Introduction
19 1 Scope
2 Normative references
3 Terms and definitions
3.1 Terms related to communication
20 3.2 Terms related to execution model
22 3.3 Properties
3.4 Safety
3.5 Vulnerabilities
23 4 Applying this document
25 5 Vulnerability issues and general avoidance mechanisms
5.1 Predictable execution
26 5.2 Sources of unpredictability in language specification
5.2.1 Incomplete or evolving specification
5.2.2 Undefined behaviour
5.2.3 Unspecified behaviour
5.2.4 Implementation-defined behaviour
5.2.5 Difficult features
5.2.6 Inadequate language support
27 5.3 Sources of unpredictability in language usage
5.3.1 Porting and interoperation
5.3.2 Compiler selection and usage
5.4 Top avoidance mechanisms
29 6 Programming language vulnerabilities
6.1 General
6.2 Type system [IHN]
6.2.1 Description of application vulnerability
6.2.2 Cross reference
6.2.3 Mechanism of failure
31 6.2.4 Applicable language characteristics
6.2.5 Avoiding the vulnerability or mitigating its effects
32 6.2.6 Implications for language design and evolution
6.3 Bit representations [STR]
6.3.1 Description of application vulnerability
6.3.2 Cross reference
6.3.3 Mechanism of failure
33 6.3.4 Applicable language characteristics
6.3.5 Avoiding the vulnerability or mitigating its effects
6.3.6 Implications for language design and evolution
6.4 Floating-point arithmetic [PLF]
6.4.1 Description of application vulnerability
34 6.4.2 Cross reference
6.4.3 Mechanism of failure
35 6.4.4 Applicable language characteristics
6.4.5 Avoiding the vulnerability or mitigating its effects
6.4.6 Implications for language design and evolution
36 6.5 Enumerator issues [CCB]
6.5.1 Description of application vulnerability
6.5.2 Cross reference
6.5.3 Mechanism of failure
37 6.5.4 Applicable language characteristics
6.5.5 Avoiding the vulnerability or mitigating its effects
6.5.6 Implications for language design and evolution
6.6 Conversion errors [FLC]
6.6.1 Description of application vulnerability
38 6.6.2 Cross reference
6.6.3 Mechanism of failure
6.6.4 Applicable language characteristics
39 6.6.5 Avoiding the vulnerability or mitigating its effects
6.6.6 Implications for language design and evolution
6.7 String termination [CJM]
6.7.1 Description of application vulnerability
6.7.2 Cross reference
40 6.7.3 Mechanism of failure
6.7.4 Applicable language characteristics
6.7.5 Avoiding the vulnerability or mitigating its effects
6.7.6 Implications for language design and evolution
6.8 Buffer boundary violation (buffer overflow) [HCB]
6.8.1 Description of application vulnerability
6.8.2 Cross reference
41 6.8.3 Mechanism of failure
6.8.4 Applicable language characteristics
42 6.8.5 Avoiding the vulnerability or mitigating its effects
6.8.6 Implications for language design and evolution
6.9 Unchecked array indexing [XYZ]
6.9.1 Description of application vulnerability
43 6.9.2 Cross reference
6.9.3 Mechanism of failure
6.9.4 Applicable language characteristics
44 6.9.5 Avoiding the vulnerability or mitigating its effects
6.9.6 Implications for language designers
6.10 Unchecked array copying [XYW]
6.10.1 Description of application vulnerability
6.10.2 Cross reference
6.10.3 Mechanism of failure
45 6.10.4 Applicable language characteristics
6.10.5 Avoiding the vulnerability or mitigating its effects
6.10.6 Implications for language design and evolution
6.11 Pointer type conversions [HFC]
6.11.1 Description of application vulnerability
46 6.11.2 Cross reference
6.11.3 Mechanism of failure
6.11.4 Applicable language characteristics
6.11.5 Avoiding the vulnerability or mitigating its effects
47 6.11.6 Implications for language design and evolution
6.12 Pointer arithmetic [RVG]
6.12.1 Description of application vulnerability
6.12.2 Cross reference
6.12.3 Mechanism of failure
6.12.4 Applicable language characteristics
6.12.5 Avoiding the vulnerability or mitigating its effects
6.12.6 Implications for language design and evolution
6.13 Null pointer dereference [XYH]
6.13.1 Description of application vulnerability
48 6.13.2 Cross reference
6.13.3 Mechanism of failure
6.13.4 Applicable language characteristics
6.13.5 Avoiding the vulnerability or mitigating its effects
6.13.6 Implications for language design and evolution
6.14 Dangling reference to heap [XYK]
6.14.1 Description of application vulnerability
49 6.14.2 Cross reference
6.14.3 Mechanism of failure
6.14.4 Applicable language characteristics
50 6.14.5 Avoiding the vulnerability or mitigating its effects
6.14.6 Implications for language design and evolution
6.15 Arithmetic wrap-around error [FIF]
6.15.1 Description of application vulnerability
6.15.2 Cross reference
51 6.15.3 Mechanism of failure
6.15.4 Applicable language characteristics
6.15.5 Avoiding the vulnerability or mitigating its effects
6.15.6 Implications for language design and evolution
52 6.16 Using shift operations for multiplication and division [PIK]
6.16.1 Description of application vulnerability
6.16.2 Cross reference
6.16.3 Mechanism of failure
6.16.4 Applicable language characteristics
6.16.5 Avoiding the vulnerability or mitigating its effects
6.16.6 Implications for language design and evolution
53 6.17 Choice of clear names [NAI]
6.17.1 Description of application vulnerability
6.17.2 Cross reference
6.17.3 Mechanism of Failure
54 6.17.4 Applicable language characteristics
6.17.5 Avoiding the vulnerability or mitigating its effects
6.17.6 Implications for language design and evolution
6.18 Dead store [WXQ]
6.18.1 Description of application vulnerability
6.18.2 Cross reference
55 6.18.3 Mechanism of failure
6.18.4 Applicable language characteristics
6.18.5 Avoiding the vulnerability or mitigating its effects
6.18.6 Implications for language design and evolution
56 6.19 Unused variable [YZS]
6.19.1 Description of application vulnerability
6.19.2 Cross reference
6.19.3 Mechanism of failure
6.19.4 Applicable language characteristics
6.19.5 Avoiding the vulnerability or mitigating its effects
6.19.6 Implications for language design and evolution
6.20 Identifier name reuse [YOW]
6.20.1 Description of application vulnerability
57 6.20.2 Cross reference
6.20.3 Mechanism of failure
58 6.20.4 Applicable language characteristics
6.20.5 Avoiding the vulnerability or mitigating its effects
6.20.6 Implications for language design and evolution
6.21 Namespace issues [BJL]
6.21.1 Description of application vulnerability
59 6.21.2 Cross-references
6.21.3 Mechanism of failure
6.21.4 Applicable language characteristics
6.21.5 Avoiding the vulnerability or mitigating its effects
60 6.21.6 Implications for language design and evolution
6.22 Initialization of variables [LAV]
6.22.1 Description of application vulnerability
6.22.2 Cross reference
6.22.3 Mechanism of failure
61 6.22.4 Applicable language characteristics
6.22.5 Avoiding the vulnerability or mitigating its effects
62 6.22.6 Implications for language design and evolution
6.23 Operator precedence and associativity [JCW]
6.23.1 Description of application vulnerability
6.23.2 Cross reference
6.23.3 Mechanism of failure
63 6.23.4 Applicable language characteristics
6.23.5 Avoiding the vulnerability or mitigating its effects
6.23.6 Implications for language design and evolution
6.24 Side-effects and order of evaluation of operands [SAM]
6.24.1 Description of application vulnerability
6.24.2 Cross reference
64 6.24.3 Mechanism of failure
6.24.4 Applicable language characteristics
6.24.5 Avoiding the vulnerability or mitigating its effects
6.24.6 Implications for language design and evolution
65 6.25 Likely incorrect expression [KOA]
6.25.1 Description of application vulnerability
6.25.2 Cross reference
6.25.3 Mechanism of failure
66 6.25.4 Applicable language characteristics
6.25.5 Avoiding the vulnerability or mitigating its effects
6.25.6 Implications for language design and evolution
6.26 Dead and deactivated code [XYQ]
6.26.1 Description of application vulnerability
6.26.2 Cross reference
67 6.26.3 Mechanism of failure
68 6.26.4 Applicable language characteristics
6.26.5 Avoiding the vulnerability or mitigating its effects
6.26.6 Implications for language design and evolution
6.27 Switch statements and static analysis [CLL]
6.27.1 Description of application vulnerability
6.27.2 Cross reference
69 6.27.3 Mechanism of failure
6.27.4 Applicable language characteristics
6.27.5 Avoiding the vulnerability or mitigating its effects
6.27.6 Implications for language design and evolution
70 6.28 Demarcation of control flow [EOJ]
6.28.1 Description of application vulnerability
6.28.2 Cross reference
6.28.3 Mechanism of failure
6.28.4 Applicable language characteristics
6.28.5 Avoiding the vulnerability or mitigating its effects
71 6.28.6 Implications for language design and evolution
6.29 Loop control variables [TEX]
6.29.1 Description of application vulnerability
6.29.2 Cross reference
6.29.3 Mechanism of failure
6.29.4 Applicable language characteristics
6.29.5 Avoiding the vulnerability or mitigating its effects
72 6.29.6 Implications for language design and evolution
6.30 Off-by-one error [XZH]
6.30.1 Description of application vulnerability
6.30.2 Cross reference
6.30.3 Mechanism of failure
73 6.30.4 Applicable language characteristics
6.30.5 Avoiding the vulnerability or mitigating its effects
6.30.6 Implications for language design and evolution
6.31 Unstructured programming [EWD]
6.31.1 Description of application vulnerability
6.31.2 Cross reference
74 6.31.3 Mechanism of failure
6.31.4 Applicable language characteristics
6.31.5 Avoiding the vulnerability or mitigating its effects
6.31.6 Implications for language design and evolution
6.32 Passing parameters and return values [CSJ]
6.32.1 Description of application vulnerability
75 6.32.2 Cross reference
6.32.3 Mechanism of failure
76 6.32.4 Applicable language characteristics
6.32.5 Avoiding the vulnerability or mitigating its effects
6.32.6 Implications for language design and evolution
6.33 Dangling references to stack frames [DCM]
6.33.1 Description of application vulnerability
77 6.33.2 Cross reference
6.33.3 Mechanism of failure
78 6.33.4 Applicable language characteristics
6.33.5 Avoiding the vulnerability or mitigating its effects
6.33.6 Implications for language design and evolution
6.34 Subprogram signature mismatch [OTR]
6.34.1 Description of application vulnerability
6.34.2 Cross reference
79 6.34.3 Mechanism of failure
6.34.4 Applicable language characteristics
6.34.5 Avoiding the vulnerability or mitigating its effects
6.34.6 Implications for language design and evolution
80 6.35 Recursion [GDL]
6.35.1 Description of application vulnerability
6.35.2 Cross reference
6.35.3 Mechanism of failure
6.35.4 Applicable language characteristics
6.35.5 Avoiding the vulnerability or mitigating its effects
81 6.35.6 Implications for language design and evolution
6.36 Ignored error status and unhandled exceptions [OYB]
6.36.1 Description of application vulnerability
6.36.2 Cross reference
6.36.3 Mechanism of failure
82 6.36.4 Applicable language characteristics
6.36.5 Avoiding the vulnerability or mitigating its effects
83 6.36.6 Implications for language design and evolution
6.37 Type-breaking reinterpretation of data [AMV]
6.37.1 Description of application vulnerability
6.37.2 Cross reference
6.37.3 Mechanism of failure
84 6.37.4 Applicable language characteristics
6.37.5 Avoiding the vulnerability or mitigating its effects
6.37.6 Implications for language design and evolution
85 6.38 Deep vs. shallow copying [YAN]
6.38.1 Description of application vulnerability
6.38.2 Cross reference
6.38.3 Mechanism of failure
6.38.4 Applicable language characteristics
6.38.5 Avoiding the vulnerability or mitigating its effects
86 6.38.6 Implications for language design and evolution
6.39 Memory leaks and heap fragmentation [XYL]
6.39.1 Description of application vulnerability
6.39.2 Cross reference
6.39.3 Mechanism of failure
6.39.4 Applicable language characteristics
87 6.39.5 Avoiding the vulnerability or mitigating its effects
6.39.6 Implications for language design and evolution
6.40 Templates and generics [SYM]
6.40.1 Description of application vulnerability
88 6.40.2 Cross reference
6.40.3 Mechanism of failure
6.40.4 Applicable language characteristics
89 6.40.5 Avoiding the vulnerability or mitigating its effects
6.40.6 Implications for language design and evolution
6.41 Inheritance [RIP]
6.41.1 Description of application vulnerability
6.41.2 Cross reference
90 6.41.3 Mechanism of failure
6.41.4 Applicable language characteristics
6.41.5 Avoiding the vulnerability or mitigating its effects
91 6.41.6 Implications for language design and evolution
6.42 Violations of the Liskov substitution principle or the contract model [BLP]
6.42.1 Description of application vulnerability
92 6.42.2 Cross reference
6.42.3 Mechanism of failure
6.42.4 Applicable language characteristics
6.42.5 Avoiding the vulnerability or mitigating its effects
6.42.6 Implications for language design and evolution
6.43 Redispatching [PPH]
6.43.1 Description of application vulnerability
93 6.43.2 Cross reference
6.43.3 Mechanism of failure
6.43.4 Applicable language characteristics
6.43.5 Avoiding the vulnerability or mitigating its effects
6.43.6 Implications for language design and evolution
6.44 Polymorphic variables [BKK]
6.44.1 Description of application vulnerability
94 6.44.2 Cross reference
6.44.3 Mechanism of failure
95 6.44.4 Applicable language characteristics
6.44.5 Avoiding the vulnerability or mitigating its effects
6.44.6 Implications for language design and evolution
6.45 Extra intrinsics [LRM]
6.45.1 Description of application vulnerability
6.45.2 Cross reference
6.45.3 Mechanism of failure
96 6.45.4 Applicable language characteristics
6.45.5 Avoiding the vulnerability or mitigating its effects
6.45.6 Implications for language design and evolution
6.46 Argument passing to library functions [TRJ]
6.46.1 Description of application vulnerability
6.46.2 Cross reference
6.46.3 Mechanism of failure
97 6.46.4 Applicable language characteristics
6.46.5 Avoiding the vulnerability or mitigating its effects
6.46.6 Implications for language design and evolution
6.47 Inter-language calling [DJS]
6.47.1 Description of application vulnerability
6.47.2 Cross reference
6.47.3 Mechanism of failure
98 6.47.4 Applicable language characteristics
6.47.5 Avoiding the vulnerability or mitigating its effects
99 6.47.6 Implications for language design and evolution
6.48 Dynamically-linked code and self-modifying code [NYY]
6.48.1 Description of application vulnerability
6.48.2 Cross reference
6.48.3 Mechanism of failure
6.48.4 Applicable language characteristics
100 6.48.5 Avoiding the vulnerability or mitigating its effects
6.48.6 Implications for language design and evolution
6.49 Library signature [NSQ]
6.49.1 Description of application vulnerability
6.49.2 Cross reference
6.49.3 Mechanism of failure
101 6.49.4 Applicable language characteristics
6.49.5 Avoiding the vulnerability or mitigating its effects
6.49.6 Implications for language design and evolution
6.50 Unanticipated exceptions from library routines [HJW]
6.50.1 Description of application vulnerability
6.50.2 Cross reference
6.50.3 Mechanism of failure
102 6.50.4 Applicable language characteristics
6.50.5 Avoiding the vulnerability or mitigating its effects
6.50.6 Implications for language design and evolution
6.51 Pre-processor directives [NMP]
6.51.1 Description of application vulnerability
6.51.2 Cross reference
103 6.51.3 Mechanism of failure
6.51.4 Applicable language characteristics
6.51.5 Avoiding the vulnerability or mitigating its effects
6.51.6 Implications for language design and evolution
104 6.52 Suppression of language-defined run-time checking [MXB]
6.52.1 Description of application vulnerability
6.52.2 Cross reference
6.52.3 Mechanism of Failure
6.52.4 Applicable language characteristics
6.52.5 Avoiding the vulnerability
6.52.6 Implications for language design and evolution
105 6.53 Provision of inherently unsafe operations [SKL]
6.53.1 Description of application vulnerability
6.53.2 Cross reference
6.53.3 Mechanism of Failure
6.53.4 Applicable language characteristics
6.53.5 Avoiding the vulnerability
106 6.53.6 Implications for language design and evolution
6.54 Obscure language features [BRS]
6.54.1 Description of application vulnerability
6.54.2 Cross reference
6.54.3 Mechanism of failure
6.54.4 Applicable language characteristics
6.54.5 Avoiding the vulnerability or mitigating its effects
107 6.54.6 Implications for language design and evolution
6.55 Unspecified behaviour [BQF]
6.55.1 Description of application vulnerability
6.55.2 Cross reference
6.55.3 Mechanism of failure
108 6.55.4 Applicable language characteristics
6.55.5 Avoiding the vulnerability or mitigating its effects
6.55.6 Implications for language design and evolution
6.56 Undefined behaviour [EWF]
6.56.1 Description of application vulnerability
109 6.56.2 Cross reference
6.56.3 Mechanism of failure
6.56.4 Applicable language characteristics
6.56.5 Avoiding the vulnerability or mitigating its effects
110 6.56.6 Implications for language design and evolution
6.57 Implementation-defined behaviour [FAB]
6.57.1 Description of application vulnerability
6.57.2 Cross reference
6.57.3 Mechanism of failure
111 6.57.4 Applicable language characteristics
6.57.5 Avoiding the vulnerability or mitigating its effects
6.57.6 Implications for language design and evolution
6.58 Deprecated language features [MEM]
6.58.1 Description of application vulnerability
112 6.58.2 Cross reference
6.58.3 Mechanism of failure
6.58.4 Applicable language characteristics
6.58.5 Avoiding the vulnerability or mitigating its effects
113 6.58.6 Implications for language design and evolution
6.59 Concurrency — Activation [CGA]
6.59.1 Description of application vulnerability
6.59.2 Cross-references
6.59.3 Mechanism of Failure
114 6.59.4 Applicable language characteristics
6.59.5 Avoiding the vulnerability or mitigating its effects
6.59.6 Implications for language design and evolution
6.60 Concurrency — Directed termination [CGT]
6.60.1 Description of application vulnerability
115 6.60.2 Cross-references
6.60.3 Mechanism of failure
6.60.4 Applicable language characteristics
6.60.5 Avoiding the vulnerability or mitigating its effect
116 6.60.6 Implications for language design and evolution
6.61 Concurrent data access [CGX]
6.61.1 Description of application vulnerability
6.61.2 Cross-references
6.61.3 Mechanism of failure
6.61.4 Applicable language characteristics
117 6.61.5 Avoiding the vulnerability or mitigating its effect
6.61.6 Implications for language design and evolution
6.62 Concurrency — Premature termination [CGS]
6.62.1 Description of application vulnerability
6.62.2 Cross-references
118 6.62.3 Mechanism of failure
6.62.4 Applicable language characteristics
6.62.5 Avoiding the vulnerability or mitigating its effect
119 6.62.6 Implications for language design and evolution
6.63 Lock protocol errors [CGM]
6.63.1 Description of application vulnerability
6.63.2 Cross-references
120 6.63.3 Mechanism of failure
6.63.4 Applicable language characteristics
6.63.5 Avoiding the vulnerability or mitigating its effect
121 6.63.6 Implications for language design and evolution
6.64 Reliance on external format strings [SHL]
6.64.1 Description of application vulnerability
6.64.2 Cross reference
6.64.3 Mechanism of failure
122 6.64.4 Applicable language characteristics
6.64.5 Avoiding the vulnerability or mitigating its effects
6.64.6 Implications for language design and evolution
123 7 Application vulnerabilities
7.1 General
7.2 Unrestricted file upload [CBF]
7.2.1 Description of application vulnerability
7.2.2 Cross reference
7.2.3 Mechanism of failure
7.2.4 Avoiding the vulnerability or mitigating its effects
124 7.3 Download of code without integrity check [DLB]
7.3.1 Description of application vulnerability
7.3.2 Cross reference
7.3.3 Mechanism of failure
7.3.4 Avoiding the vulnerability or mitigating its effects
125 7.4 Executing or loading untrusted code [XYS]
7.4.1 Description of application vulnerability
7.4.2 Cross reference
7.4.3 Mechanism of failure
7.4.4 Avoiding the vulnerability or mitigating its effects
126 7.5 Inclusion of functionality from untrusted control sphere [DHU]
7.5.1 Description of application vulnerability
7.5.2 Cross reference
7.5.3 Mechanism of failure
7.5.4 Avoiding the vulnerability or mitigating its effects
7.6 Use of unchecked data from an uncontrolled or tainted source [EFS]
7.6.1 Description of application vulnerability
127 7.6.2 Cross reference
7.6.3 Mechanism of failure
7.6.4 Avoiding the vulnerability or mitigating its effects
7.7 Cross-site scripting [XYT]
7.7.1 Description of application vulnerability
7.7.2 Cross reference
128 7.7.3 Mechanism of failure
129 7.7.4 Avoiding the vulnerability or mitigating its effects
130 7.8 URL redirection to untrusted site (“open redirect”) [PYQ]
7.8.1 Description of application vulnerability
7.8.2 Cross reference
7.8.3 Mechanism of failure
7.8.4 Avoiding the vulnerability or mitigating its effects
7.9 Injection [RST]
7.9.1 Description of application vulnerability
131 7.9.2 Cross reference
132 7.9.3 Mechanism of failure
133 7.9.4 Avoiding the vulnerability or mitigating its effects
7.10 Unquoted search path or element [XZQ]
7.10.1 Description of application vulnerability
7.10.2 Cross reference
7.10.3 Mechanism of failure
7.10.4 Avoiding the vulnerability or mitigating its effects
134 7.11 Path traversal [EWR]
7.11.1 Description of application vulnerability
7.11.2 Cross reference
7.11.3 Mechanism of failure
136 7.11.4 Avoiding the vulnerability or mitigating its effects
7.12 Resource names [HTS]
7.12.1 7Description of application vulnerability
137 7.12.2 Cross reference
7.12.3 Mechanism of Failure
7.12.4 Avoiding the vulnerability or mitigating its effects
7.13 Resource exhaustion [XZP]
7.13.1 Description of application vulnerability
7.13.2 Cross reference
7.13.3 Mechanism of failure
138 7.13.4 Avoiding the vulnerability or mitigating its effects
7.14 Authentication logic error [XZO]
7.14.1 Description of application vulnerability
7.14.2 Cross reference
139 7.14.3 Mechanism of failure
140 7.14.4 Avoiding the vulnerability or mitigating its effects
7.15 Improper restriction of excessive authentication attempts [WPL]
7.15.1 Description of application vulnerability
7.15.2 Cross reference
7.15.3 Mechanism of failure
7.15.4 Avoiding the vulnerability or mitigating its effects
141 7.16 Hard-coded credentials [XYP]
7.16.1 Description of application vulnerability
7.16.2 Cross reference
7.16.3 Mechanism of failure
7.16.4 Avoiding the vulnerability or mitigating its effects
142 7.17 Insufficiently protected credentials [XYM]
7.17.1 Description of application vulnerability
7.17.2 Cross reference
7.17.3 Mechanism of failure
7.17.4 Avoiding the vulnerability or mitigating its effects
143 7.18 Missing or inconsistent access control [XZN]
7.18.1 Description of application vulnerability
7.18.2 Cross reference
7.18.3 Mechanism of failure
7.18.4 Avoiding the vulnerability or mitigating its effects
7.19 Incorrect authorization [BJE]
7.19.1 Description of application vulnerability
7.19.2 Cross reference
7.19.3 Mechanism of failure
144 7.19.4 Avoiding the vulnerability or mitigating its effects
7.20 Adherence to least privilege [XYN]
7.20.1 Description of application vulnerability
7.20.2 Cross reference
7.20.3 Mechanism of failure
7.20.4 Avoiding the vulnerability or mitigating its effects
145 7.21 Privilege sandbox issues [XYO]
7.21.1 Description of application vulnerability
7.21.2 Cross reference
7.21.3 Mechanism of failure
146 7.21.4 Avoiding the vulnerability or mitigating its effects
7.22 Missing required cryptographic step [XZS]
7.22.1 Description of application vulnerability
7.22.2 Cross reference
7.22.3 Mechanism of failure
7.22.4 Avoiding the vulnerability or mitigating its effects
147 7.23 Improperly verified signature [XZR]
7.23.1 Description of application vulnerability
7.23.2 Cross reference
7.23.3 Mechanism of failure
7.23.4 Avoiding the vulnerability or mitigating its effects
7.24 Use of a one-way hash without a salt [MVX]
7.24.1 Description of application vulnerability
7.24.2 Cross reference
7.24.3 Mechanism of failure
148 7.24.4 Avoiding the vulnerability or mitigating its effects
7.25 Inadequately secure communication of shared resources [CGY]
7.25.1 Description of application vulnerability
7.25.2 Cross-references
7.25.3 Mechanism of failure
149 7.25.4 Avoiding the vulnerability or mitigating its effect
7.26 Memory locking [XZX]
7.26.1 Description of application vulnerability
7.26.2 Cross reference
150 7.26.3 Mechanism of failure
7.26.4 Avoiding the vulnerability or mitigating its effects
7.27 Sensitive information not cleared before use [XZK]
7.27.1 Description of application vulnerability
7.27.2 Cross reference
7.27.3 Mechanism of failure
151 7.27.4 Avoiding the vulnerability or mitigating its effects
7.28 Time consumption measurement [CCM]
7.28.1 Description of application vulnerability
7.28.2 Cross-references
7.28.3 Mechanism of failure
7.28.4 Avoiding the vulnerability or mitigating its effect
152 7.29 Discrepancy information leak [XZL]
7.29.1 Description of application vulnerability
7.29.2 Cross reference
7.29.3 Mechanism of failure
7.29.4 Avoiding the vulnerability or mitigating its effects
153 7.30 Unspecified functionality [BVQ]
7.30.1 Description of application vulnerability
7.30.2 Cross reference
7.30.3 Mechanism of failure
7.30.4 Avoiding the vulnerability or mitigating its effects
154 7.31 Fault tolerance and failure strategies [REU]
7.31.1 Description of application vulnerability
7.31.2 Cross reference
155 7.31.3 Mechanism of failure
7.31.4 Avoiding the vulnerability or mitigating its effects
156 7.32 Distinguished values in data types [KLK]
7.32.1 Description of application vulnerability
7.32.2 Cross reference
7.32.3 Mechanism of failure
157 7.32.4 Avoiding the vulnerability or mitigating its effects
7.33 Clock issues [CCI]
7.33.1 Description of application vulnerability
158 7.33.2 Cross-references
7.33.3 Mechanism of failure
159 7.33.4 Avoiding the vulnerability or mitigating its effect
7.34 Time drift and jitter [CDJ]
7.34.1 Description of application vulnerability
160 7.34.2 Cross-references
7.34.3 Mechanism of failure
7.34.4 Avoiding the vulnerability or mitigating its effect
161 8 New vulnerabilities
8.1 General
8.2 Modifying constants [UJO]
8.2.1 Description of application vulnerability
8.2.2 Cross reference
8.2.3 Mechanism of failure
162 8.2.4 Applicable language characteristics
8.2.5 Avoiding the vulnerability or mitigating its effects
8.2.6 Implications for language design and evolution
163 Annex A (informative) Vulnerability taxonomy and list
171 Annex B (informative) Selected guidance to language designers
173 Annex C (informative) Language-specific vulnerability template
176 Bibliography

Related products

BSI PD ISO/IEC TR 24772-1:2019
$215.11