摘要:本文主要向大家介绍了JAVA语言之Fortify扫描 -- 软件安全错误的分类,通过具体的内容向大家展示,希望对大家学习JAVA语言有所帮助。
本文主要向大家介绍了JAVA语言之Fortify扫描 -- 软件安全错误的分类,通过具体的内容向大家展示,希望对大家学习JAVA语言有所帮助。
软件安全错误分类
Input Validation and Representation: 输入验证和表示
API Abuse: API滥用
Security Features: 安全功能
Time and State: 时间和国家
Errors: 错误
Code Quality: 代码质量
Encapsulation: 封装
输入验证和表示问题是由元字符,备用编码和数字表示引起的。 信任输入导致安全问题。 问题包括:缓冲区溢出,跨站点脚本***,SQL注入以及许多其他问题
功能模块 | 扫描项 |
---|---|
Input Validation and Representation | Buffer Overflow |
Input Validation and Representation | Command Injection |
Input Validation and Representation | Cross-Site Scripting |
Input Validation and Representation | Format String |
Input Validation and Representation | HTTP Response Splitting |
Input Validation and Representation | Illegal Pointer Value |
Input Validation and Representation | Integer Overflow |
Input Validation and Representation | Log Forging |
Input Validation and Representation | Path Manipulation |
Input Validation and Representation | Process Control |
Input Validation and Representation | Resource Injection |
Input Validation and Representation | Setting Manipulation |
Input Validation and Representation | SQL Injection |
Input Validation and Representation | String Termination Error |
Input Validation and Representation | Struts: Duplicate Validation Forms |
Input Validation and Representation | Struts: Form Bean Does Not Extend Validation Class |
Input Validation and Representation | Struts: Form Field Without Validator |
Input Validation and Representation | Struts: Plug-in Framework Not In Use |
Input Validation and Representation | Struts: Unused Validation Form |
Input Validation and Representation | Struts: Unvalidated Action Form |
Input Validation and Representation | Struts: Validator Turned Off |
Input Validation and Representation | Struts: Validator Without Form Field |
Input Validation and Representation | Unsafe JNI |
Input Validation and Representation | Unsafe Reflection |
Input Validation and Representation | XML Validation |
功能模块 | 扫描项 |
---|---|
API Abuse | Dangerous Function |
API Abuse | Directory Restriction |
API Abuse | Heap Inspection |
API Abuse | J2EE Bad Practices: getConnection() |
API Abuse | J2EE Bad Practices: Sockets |
API Abuse | Often Misused: Authentication |
API Abuse | Often Misused: Exception Handling |
API Abuse | Often Misused: File System |
API Abuse | Often Misused: Privilege Management |
API Abuse | Often Misused: Strings |
API Abuse | Unchecked Return Value |
功能模块 | 扫描项 |
---|---|
Security Features | Insecure Randomness |
Security Features | Least Privilege Violation |
Security Features | Missing Access Control |
Security Features | Password Management |
Security Features | Password Management: Empty Password in Config File |
Security Features | Password Management: Hard-Coded Password |
Security Features | Password Management: Password in Config File |
Security Features | Password Management: Weak Cryptography |
Security Features | Privacy Violation |
功能模块 | 扫描项 |
---|---|
Time and State | Deadlock |
Time and State | Failure to Begin a New Session upon Authentication |
Time and State | File Access Race Condition: TOCTOU |
Time and State | Insecure Temporary File |
Time and State | J2EE Bad Practices: System.exit() |
Time and State | J2EE Bad Practices: Threads |
Time and State | Signal Handling Race Conditions |
功能模块 | 扫描项 |
---|---|
Errors | Catch NullPointerException |
Errors | Empty Catch Block |
Errors | Overly-Broad Catch Block |
Errors | Overly-Broad Throws Declaration |
功能模块 | 扫描项 |
---|---|
Code Quality | Double Free |
Code Quality | Inconsistent Implementations |
Code Quality | Memory Leak |
Code Quality | Null Dereference |
Code Quality | Obsolete |
Code Quality | Undefined Behavior |
Code Quality | Uninitialized Variable |
Code Quality | Unreleased Resource |
Code Quality | Use After Free |
功能模块 | 扫描项 |
---|---|
Encapsulation | Comparing Classes by Name |
Encapsulation | Data Leaking Between Users |
Encapsulation | Leftover Debug Code |
Encapsulation | Mobile Code: Object Hijack |
Encapsulation | Mobile Code: Use of Inner Class |
Encapsulation | Mobile Code: Non-Final Public Field |
Encapsulation | Private Array-Typed Field Returned From a Public Method |
Encapsulation | Public Data Assigned to Private Array-Typed Field |
Encapsulation | System Information Leak |
Encapsulation | Trust Boundary Violation |
本文由职坐标整理并发布,希望对同学们有所帮助。了解更多详情请关注编程语言JAVA频道!
您输入的评论内容中包含违禁敏感词
我知道了
请输入正确的手机号码
请输入正确的验证码
您今天的短信下发次数太多了,明天再试试吧!
我们会在第一时间安排职业规划师联系您!
您也可以联系我们的职业规划师咨询:
版权所有 职坐标-一站式IT培训就业服务领导者 沪ICP备13042190号-4
上海海同信息科技有限公司 Copyright ©2015 www.zhizuobiao.com,All Rights Reserved.
沪公网安备 31011502005948号