Index[SYMBOL] [A] [B] [C] [D] [E] [F] [G] [H] [I] [J] [K] [L] [M] [N] [O] [P] [Q] [R] [S] [T] [U] [V] [W] [X] [Y] [Z] Taint analysis Taxonomy of coding errors 19 Deadly Sins ... 2nd attack classes hierarchy of "OWASP Top Ten ... Vulnerabilities," 2nd PLOVER (Preliminary List of Vulnerability Examples for Researchers) versus taxonomy of attack patterns Taxonomy of coding errors, kingdoms API Abuse description example phyla Code Quality 2nd description example phyla definition Encapsulation 2nd description example phyla Environment 2nd description example phyla Error Handling 2nd description example phyla Input Validation and Representation 2nd description example phyla mapped to "OWASP Top Ten ... Vulnerabilities," mapped to 19 Deadly Sins ... Security Features 2nd description example phyla summary list of Time and State 2nd description example phyla Taxonomy of coding errors, phyla API Abuse Kingdom ASP.NET Misconfiguration Authentication 2nd Buffer Overflow Catch NullPointerException Code Quality Kingdom Command Injection Comparing Classes by Name Creating Debug Binary Cross-Site Scripting Dangerous Functions Data Leaking Between Users Deadlock definition Directory Restriction Double Free Duplicate Validation Forms Empty Catch Block Empty Password in Configuration File encapsulation kingdom Environment kingdom Erroneous validate() Method Error Handling kingdom Exception Handling Failure to Begin a New Session ... File Access Race Condition Form Field Without Validator Format String getConnection() method Hard-Coded Passwords Heap Inspection HTTP Response Splitting Illegal Pointer Value Inconsistent Implementations Input Validation And Representation kingdom Insecure Compiler Optimization Insecure Randomness Insecure Temporary File Integer Overflow J2EE Bad Practices 2nd J2EE Misconfiguration Least Privilege Violation Leftover Debug Code Log Forging Memory Leaks Missing Access Control Missing Custom Error Handler Missing Error Handling Mobile Code need for additional Non-Final Public Field Null Dereference Object Highjack Obsolete Often Misused 2nd Overly Broad Catch Block Overly Broad Throws Declaration Password in Configuration File 2nd Password Management Path Manipulation Path Traversal Privacy Violation Private Array-Type Field ... Privilege Management Process Control Public Data Assigned ... Race Condition Resource Injection Security Features kingdom Setting Manipulation Signal Handling Race Conditions Sockets SQL Injection String Manipulation String Termination Error Struts System Information Leak System.exit() Threads Time And State kingdom TOCTOU (time-of-check-time-of-use) Trust Boundary Violation Unchecked Return Value 2nd Undefined Behavior Uninitialized Variable Unreleased Resource Unsafe Bean Declaration Unsafe JNI Unsafe Reflection Unused Validation Form Unvalidated Action Form Use After Free Use Of Inner Class Validation Class Not Extended Validator Turned Off Validator Without Form Field Weak Access Permissions Weak Cryptography XML Validation Taxonomy of vulnerabilities Teams. [See Security professionals.] Tent example "Test-driven" design Testing. [See Penetration testing; Risk-based security testing.] Think like a bad guy. [See Black hat activities.] Threads phylum Threat modeling versus risk analysis Threats, architectural risk analysis Three pillars. [See Pillars of software security.] Time and State vulnerability kingdom 2nd Time as essential issue Timing, risk-based security testing TOCTOU (time-of-check-time-of-use) 2nd 3rd Tools characteristics of code review. [See Code review, tools.] commercial vendors. [See Commercial source code analysis tool vendors.] Nessus penetration testing APISPY32 breakpoint setters CANVAS Cenzic control flow coverage decompilers disassemblers fault injection Hailstorm Holodeck rootkits shell code port scanning problems with Touchpoints [See also specific touchpoints] as best practices 2nd black hat activities constructive activities destructive activities example list of abuse cases architectural risk analysis code review penetration testing risk-based security testing security operations order of effectiveness overview sequence of timing in the lifecycle white hat activities Training without assessment Training, academic courses Training, software security Trinity of trouble complexity connectivity extensibility Trust Boundary Violation phylum Trustworthy Computing Initiative |