...
Security bug reporting tools
Security bug effecteffects
- Not a Security Bug
- Spoofing
- Tampering
- Repudiation
- Information Disclosure
- Denial of Service
- Elevation of PrivilegeAttack Surface Reduction
Security bug cause
- Not a security bug
- Buffer overflow/underflow
- Arithmetic error (for example, integer overflow)
- SQL/Script injection
- Directory traversal
- Race condition
- Cross-site scripting
- Cryptographic weakness
- Weak authentication
- Weak authorization/Inappropriate permission or access control list (ACL)
- Ineffective secret hiding
- Unlimited resource consumption (Denial of Service [DoS])
- Incorrect/No error messages
- Incorrect/No pathname canonicalization
- Other
...
•Secure defaults
•Defense-in-depth
•Separation of privilege
•Least privilege
•Least common mechanism
•Psychological acceptability
•Minimize default attack surface
•Input validation with whitelists
Security design review
• Individual projects ensures their code passes security tests suits.
• Akraino Stack people models individual projects, and conduct model checking (using dafny ) for fault tolerance and information flow properties.
Security architecture
•Attack surface measurement
•Product structure or layering
...