The software is intended to manage data access through a particular data manager component such as a relational or non-SQL database, but it contains code that performs data access operations without using that component.
Modes of Introduction:
Other: Reduce Reliability
A function or method contains too many
operations that utilize a data manager or file resource.
Modes of Introduction:
Other: Reduce Maintainability
The code contains callable control elements that
contain an excessively large number of references to other
application objects external to the context of the callable,
i.e. a Fan-Out value that is excessively large.
Modes of Introduction:
Other: Reduce Maintainability
The software performs a data query with a large number of joins
and sub-queries on a large data table.
Modes of Introduction:
Other: Reduce Performance
The application has a form field that is not validated by a corresponding validation form, which can introduce other weaknesses related to insufficient input validation.
Omitting validation for even a single input field may give attackers the leeway they need to compromise the application. Although J2EE applications are not generally susceptible to memory corruption attacks, if a J2EE application interfaces with native code that does not perform array bounds checking, an attacker may be able to use an input validation mistake in the J2EE application to launch a buffer overflow attack.
Modes of Introduction:
– Implementation
Integrity: Unexpected State
Integrity: Bypass Protection Mechanism
If unused fields are not validated, shared business logic in an action may allow attackers to bypass the validation checks that are performed for other uses of the form.
Phase: Implementation
Description:
Validate all form fields. If a field is unused, it is still important to constrain it so that it is empty or undefined.
The software has a loop body or loop condition that contains a control element that directly or
indirectly consumes platform resources, e.g. messaging, sessions, locks, or file
descriptors.
Modes of Introduction:
Other: Reduce Performance
The software initializes data using hard-coded values that act as network resource identifiers.
Modes of Introduction:
Other: Reduce Reliability
The software initializes a data element using a hard-coded
literal that is not a simple integer or static constant element.
Modes of Introduction:
Other: Reduce Maintainability
The product does not have documentation that represents how it is designed.
Modes of Introduction:
The code at one architectural layer invokes code that resides
at a deeper layer than the adjacent layer, i.e., the invocation skips at least one
layer, and the invoked code is not part of a vertical utility layer that can be referenced from any horizontal layer.
Modes of Introduction:
Other: Reduce Maintainability