Re: [EXT] Proposal: Add "Insecure default" as a general CWE category (per "Secure-by-design" paper)

Tue, 09 Jan 2024 14:31:27 -0800

> On Jan 9, 2024, at 3: 56 PM, Hatfield, Arthur <ARTHUR_HATFIELD@ homedepot. com> wrote: > > I do believe that applications, passwords, and protocols count as “resources,” and that the default configuration that ships with an application,
ZjQcmQRYFpfptBannerStart
This Message Is From an External Sender
This message originates outside of MITRE. If you feel this is suspicious, please report it via "Report Suspicious Email" button in Outlook.
 
ZjQcmQRYFpfptBannerEnd

> On Jan 9, 2024, at 3:56 PM, Hatfield, Arthur <[email protected]> wrote:
> 
> I do believe that applications, passwords, and protocols count as “resources,” and that the default configuration that ships with an application, or is engineered into a system, would count as the “initialization” of that “resource.”  That said, could CWE-1188 get some better demonstrative examples? Absolutely. To wit, one of the observed examples (CVE-2022-42467) of CWE-1188 isn’t about a vulnerability at all, but about a UI not requiring a password by default.

I think few people would list a password or a protocol as a "resource".

If CWE-1188 is to be the generic weakness for insecure defaults, then I think it MUST be renamed from "Initialization of a Resource with an Insecure Default" to "Insecure Default". If that's the plan, the words "initialization" and "resource" are adding no value. Put another way: if everything is a resource, then there's no need to mention the word resource, as it's not distinguishing any cases.

Whatever the CWE is, I'd add examples. Here are a few ideas:

* By default it uses an external network connection that is NOT authenticated or encrypted. Network connections should be authenticated & encrypted (e.g., TLS, SSH, etc.). If a user specifically requests it (e.g., non-default config or "http://") that's fine, but if it's unspecified, it must be authenticated & encrypted. Protocols like telnet (port 80) should only work if the user specially configured it.
* It has a default password that's known to anyone other than that specific user. it's fine for a system to request a password on startup, or have a unique password set per instance, but a default password shared among instances is insecure.
* Uses a known insecure algorithm for security purposes, e.g., MD5 or SHA-1 or DES as a security mechanism. Non-security uses are fine.


--- David A. Wheeler
























					Reply via email to