9. CWE/SANS TOP 25
Most Dangerous Software Errors
• ソフトウェア開発における
最も危険なリスクとその
対策集
• Guidance for Using the Top
25
• Brief Listing of the Top 25
• Category-Based View of
the Top 25
• Organization of the Top 25
• Detailed CWE Descriptions
• Monster Mitigations
2015/6/26Electronic Service Initiative, Ltd All Rights Reserved. http://www.es-i.jp/ 9
https://www.sans.org/top25-software-errors/
10. Insecure Interaction Between
Components
2015/6/26Electronic Service Initiative, Ltd All Rights Reserved. http://www.es-i.jp/ 10
CWE ID Name
CWE-89
Improper Neutralization of Special Elements used in an SQL
Command ('SQL Injection')
CWE-78
Improper Neutralization of Special Elements used in an OS
Command ('OS Command Injection')
CWE-79
Improper Neutralization of Input DuringWeb Page
Generation ('Cross-site Scripting')
CWE-434 Unrestricted Upload of File with DangerousType
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
11. Risky Resource Management
2015/6/26Electronic Service Initiative, Ltd All Rights Reserved. http://www.es-i.jp/ 11
CWE ID Name
CWE-120
Buffer Copy without Checking Size of Input ('Classic Buffer
Overflow')
CWE-22
Improper Limitation of a Pathname to a Restricted Directory
('PathTraversal')
CWE-494 Download of Code Without IntegrityCheck
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-676 Use of Potentially Dangerous Function
CWE-131 Incorrect Calculation of Buffer Size
CWE-134 Uncontrolled Format String
CWE-190 Integer Overflow or Wraparound
12. Porous Defenses
2015/6/26Electronic Service Initiative, Ltd All Rights Reserved. http://www.es-i.jp/ 12
CWE ID Name
CWE-306 MissingAuthentication for Critical Function
CWE-862 MissingAuthorization
CWE-798 Use of Hard-coded Credentials
CWE-311 Missing Encryption of Sensitive Data
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CWE-250 Execution with Unnecessary Privileges
CWE-863 Incorrect Authorization
CWE-732 Incorrect PermissionAssignment for Critical Resource
CWE-327 Use of a Broken or RiskyCryptographicAlgorithm
CWE-307 Improper Restriction of ExcessiveAuthentication Attempts
CWE-759 Use of a One-Way Hash without a Salt
13. OWASP TOP 10
• A1 Injection
• A2 XSS
• A3 Weak
authentication and
session
management
• A4 Insecure Direct
Object Reference
• A5 Cross Site
Request Forgery
• A6 Security
Misconfiguration
• A7 Insufficient
Cryptographic
Storage
• A8 Failure to
Restrict URL access
• A9 Insufficient
Transport Layer
Protection
• A10 Unvalidated
Redirects and
Forwards
2015/6/26Electronic Service Initiative, Ltd All Rights Reserved. http://www.es-i.jp/ 13
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
14. CWE/SANS TOP 25
OWASP TOP 10
これが全てのリスクか?
• CWE(Common Weakness Enumeration)
• 共通脆弱性タイプ
• 脆弱性の種別をカタログ化したデータベース。CVEを管理する
MITRE社が管理
• CWE/SANS TOP 25はCWE中のトップ25に過ぎない
• CWEは共通脆弱性カタログ、
つまり共通する脆弱性を“一般化”したカタログ
• 環境別、個別の脆弱性に対応するには
“共通”ではなく“個別”の対応が必要となる
2015/6/26Electronic Service Initiative, Ltd All Rights Reserved. http://www.es-i.jp/ 14
15. CWEカタログ
2015/6/26Electronic Service Initiative, Ltd All Rights Reserved. http://www.es-i.jp/ 15
共通脆弱性だけで719!
環境別に脆弱性を考慮する
とこの何倍もの個別ソフト
ウェア脆弱性が存在する
https://cwe.mitre.org/data/slices/2000.html