Category: Comprehensive Categorization: Violation of Secure Design Principles
Incomplete
Summary
Weaknesses in this category are related to violation of secure design principles.
Membership
| ID | Name | Description |
|---|---|---|
| CWE-1189 | Improper Isolation of Shared Resources on System-on-a-Chip (SoC) | This vulnerability occurs when a System-on-a-Chip (SoC) fails to properly separate shared hardware resources between secure (trusted) and non-secure (untrusted) components. |
| CWE-1192 | Improper Identifier for IP Block used in System-On-Chip (SOC) | This weakness occurs when a System-on-Chip (SoC) lacks a secure, unique, and permanent identifier for its internal hardware components (IP blocks). Without this, the system cannot reliably distinguish between different parts of the chip, leading to security and reliability failures. |
| CWE-1303 | Non-Transparent Sharing of Microarchitectural Resources | This vulnerability occurs when a processor's internal performance features, like caches and branch predictors, are unintentionally shared between different software contexts. This breaks the expected isolation, allowing data to leak across security boundaries. |
| CWE-1331 | Improper Isolation of Shared Resources in Network On Chip (NoC) | This vulnerability occurs when a Network on Chip (NoC) fails to properly separate its internal, shared resources—like buffers, switches, and channels—between trusted and untrusted components. This lack of isolation creates a timing side-channel, allowing untrusted agents to potentially infer sensitive data from trusted ones. |
| CWE-1395 | Dependency on Vulnerable Third-Party Component | This vulnerability occurs when your software relies on an external library, framework, or module that contains known security flaws. |
| CWE-250 | Execution with Unnecessary Privileges | This vulnerability occurs when software runs with higher permissions than it actually needs to perform its tasks. This excessive privilege creates security risks by opening doors to new attacks or making existing weaknesses more dangerous. |
| CWE-424 | Improper Protection of Alternate Path | This vulnerability occurs when an application fails to secure every possible route a user could take to reach sensitive features or data, leaving backdoors or unintended access points open. |
| CWE-447 | Unimplemented or Unsupported Feature in UI | This vulnerability occurs when a user interface displays a security feature as active and functional, but the underlying code that powers it is either missing or disabled. Users receive visual confirmation that a protection is in place, creating a false sense of security. |
| CWE-636 | Not Failing Securely ('Failing Open') | This vulnerability occurs when a system, upon encountering an error or failure, defaults to its least secure configuration instead of a safer alternative. Examples include reverting to the weakest encryption or the most permissive access rules. |
| CWE-637 | Unnecessary Complexity in Protection Mechanism (Not Using 'Economy of Mechanism') | This weakness occurs when a security feature is implemented with excessive complexity, creating unnecessary risk. Overly intricate protection mechanisms are harder to understand, configure, and implement correctly, often leading to security gaps and misconfigurations. |
| CWE-638 | Not Using Complete Mediation | This vulnerability occurs when software fails to verify access permissions every single time a user or process tries to use a resource. Instead, it might rely on a single, outdated check, creating a security gap if the user's privileges are later revoked or changed. |
| CWE-653 | Improper Isolation or Compartmentalization | This vulnerability occurs when an application fails to enforce strong boundaries between components that operate at different security levels, allowing lower-privileged functions to improperly interact with higher-privileged ones. |
| CWE-654 | Reliance on a Single Factor in a Security Decision | This vulnerability occurs when a system's security check depends almost entirely on just one condition, object, or piece of data to decide whether to grant access to sensitive resources or actions. It's like having a single, easily compromised lock on a vault, instead of a layered defense. |
| CWE-655 | Insufficient Psychological Acceptability | This weakness occurs when security features are so cumbersome or confusing that well-intentioned users feel forced to turn them off or find workarounds, defeating their purpose entirely. |
| CWE-656 | Reliance on Security Through Obscurity | This weakness occurs when a system's primary defense relies on hiding how it works, rather than using a robust, well-tested security mechanism. If an attacker discovers the hidden details—like a secret algorithm or hardcoded key—the protection fails completely. |
| CWE-657 | Violation of Secure Design Principles | This weakness occurs when a system's architecture or design fails to follow fundamental security principles, creating a flawed foundation that can lead to multiple vulnerabilities. |
| CWE-671 | Lack of Administrator Control over Security | This weakness occurs when a system's built-in security settings cannot be adjusted by its administrator. This prevents tailoring security to the specific deployment environment, forcing the system to operate at a lower or inappropriate security level than required. |
| CWE-1400 | Comprehensive Categorization for Software Assurance Trends |
Vulnerability Mapping Notes
Usage: Prohibited
Reasons: Category
Rationale:
This entry is a Category. Using categories for mapping has been discouraged since 2019. Categories are informal organizational groupings of weaknesses that can help CWE users with data aggregation, navigation, and browsing. However, they are not weaknesses in themselves [REF-1330].
Comment:
See member weaknesses of this category.