SFP Secondary Cluster: Unexpected Entry Points

The product is deployed to unauthorized actors with debugging code still enabled or active, which can create unintended entry points or expose sensitive information.

The product declares an array public, final, and static, which is not sufficient to prevent the array's contents from being modified.

The product contains a clone() method that does not call super.clone() to obtain the new object.

The product declares a critical variable, field, or member to be public when intended security policy requires it to be private.

The product has a critical public variable that is not final, which allows the variable to be modified to contain unexpected values.

The product violates secure coding principles for mobile code by declaring a finalize() method public.

The product contains a finalize() method that does not call super.finalize().

Accessible test applications can pose a variety of security risks. Since developers or administrators rarely consider that someone besides themselves would even know a...

A class has a cloneable() method that is not declared final, which allows an object to be created without calling the constructor. This can cause the object to be in a...

An object contains a public static field that is not marked final, which might allow it to be modified in unexpected ways.

An ActionForm class contains a field that has not been declared private, which can be accessed without using a setter or getter.

CWE identifiers in this view are associated with clusters of Software Fault Patterns (SFPs).