| ||
For the weak access control issue, look for code that:
Sets access controls
AND grants write access to low-privileged users
or
Creates an object without setting access controls
AND creates the object in a place writable by low-privileged users
or
Writes configuration information into a shared area
or
Writes sensitive information into an area readable by low-privileged users
For the embedded data sin, you should evaluate any code using any kind of encryption or creating outbound authenticated connections and determine where the password or key comes from; if it comes from within the code, you have a bug you need to fix (see the following section).