Access Controls
The unauthorized taking of personally identifiable information with the intent of committing fraud
Identity theft
Failure to use Hypertext Transfer Protocol Secure (HTTPS) to validate the certificate authority
Improper use of Secure Sockets Layer (SSL)
Unusual situations that require special processing, including irregularities during runtime
Catching exceptions
Computer software specifically designed to perform malicious or unwanted actions
Malware
Malware intended to provide undesired marketing and advertising, including pop-ups and banners on a user’s screens
Adware
Insufficient use of random and pseudorandom numbers such as the Monte Carlo method
Failure to use cryptographically strong random numbers
When programmers do not properly anticipate problems and prepared their application code to handle them
Failure to handle errors
An application error that occurs when user input is passed directly to a compiler or interpreter without screening for content that may disrupt or compromise the intended function
Command injections
A type of malware that is attached to other executable programs. When activated, it replicates and propagates itself to multiple systems, spreading by multiple communications vectors
Virus
Computer software specifically designed to identify and encrypt valuable information in a victim’s system in order to extort payment for the key needed to unlock the encryption
Ransomware
Inadequate use of access controls in programs and keeping secret information out of the program
Failure to store and protect data securely
A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers
Integer bugs
When developers fail to properly validate user input before using it to query a relational database
SQL Injection
Attack programs that can use up to six known attack vectors to exploit a variety of vulnerabilities in common information system devices
Worm
A class of computational error caused by methods that computers use to store and manipulate integer numbers; this bug can be exploited by attackers
Integer bugs
Wireless traffic that does not properly employ WPA or sufficient encryption
Failure to protect network traffic
When an attacker changes the expected location of a file by intercepting and modifying a program code call, which can force a program to use files other than the ones it is supposed to use
Improper file access
When an attacker embeds characters that are meaningful as directives such as %x, %d, %p into malicious input
Format string problems
Any technology that aids in gathering information about people or organizations without their knowledge
Spyware
Malware that provides access to a system by bypassing normal access control or what an attacker uses to deliver malicious input to the victim
Payload
When an attacker changes the expected location of a file by intercepting and modifying a program code call, which can force a program to use files other than the ones it is supposed to use
Improper file access
An application error that occurs when more data is sent to a program buffer than it is designed to handle
Buffer overruns
A Web application fault that occurs when an application running on a Web server inserts commands into a user’s browser session and causes information to be sent to a hostile server
Cross-site scripting (XSS)
A form of social engineering in which the attacker provides what appears to be a legitimate communication (usually e-mail), but it contains hidden or embedded code that redirects the reply to a third-party site in an effort to extract personal or confidential information
Phishing
A malware program that hides its true nature and reveals its designed behavior only when activated