Identify Actors

A category in the Common Weakness Enumeration published by The MITRE Corporation.


Summary

Categories in the Common Weakness Enumeration (CWE) group entries based on some common characteristic or attribute.

Weaknesses in this category are related to the design and architecture of a system's identification management components. Frequently these deal with verifying that external agents provide inputs into the system. The weaknesses in this category could lead to a degradation of the quality of identification management if they are not addressed when designing or implementing a secure architecture.

Weaknesses

Improper Certificate Validation

The software does not validate, or incorrectly validates, a certificate.

Improper Check for Certificate Revocation

The software does not check or incorrectly checks the revocation status of a certificate, which may cause it to use a certificate that has been compromised.

Improper Following of a Certificate's Chain of Trust

The software does not follow, or incorrectly follows, the chain of trust for a certificate back to a trusted root certificate, resulting in incorrect trust of any reso...

Improper Validation of Certificate Expiration

A certificate expiration is not validated or is incorrectly validated, so trust may be assigned to certificates that have been abandoned due to age.

Improper Validation of Certificate with Host Mismatch

The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.

Improper Verification of Source of a Communication Channel

The software establishes a communication channel to handle an incoming request that has been initiated by an actor, but it does not properly verify that the request is...

Incorrectly Specified Destination in a Communication Channel

The software creates a communication channel to initiate an outgoing request to an actor, but it does not correctly specify the intended destination for that actor.

Insufficient Verification of Data Authenticity

The software does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Missing Check for Certificate Revocation after Initial Check

The software does not check the revocation status of a certificate after its initial revocation check, which can cause the software to perform privileged actions even ...

Missing Validation of OpenSSL Certificate

The software uses OpenSSL and trusts or uses a certificate without using the SSL_get_verify_result() function to ensure that the certificate satisfies all necessary se...

Origin Validation Error

The software does not properly verify that the source of data or communication is valid.

Unintended Proxy or Intermediary ('Confused Deputy')

The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request bef...

Concepts

Architectural Concepts

This view organizes weaknesses according to common architectural security tactics. It is intended to assist architects in identifying potential mistakes that can be ma...

See Also

  1. A Catalog of Security Architecture Weaknesses.

    2017 IEEE International Conference on Software Architecture (ICSA)

  2. Understanding Software Vulnerabilities Related to Architectural Security Tactics: An Empirical Investigation of Chromium, PHP and Thunderbird.

    2017 IEEE International Conference on Software Architecture (ICSA)


Common Weakness Enumeration content on this website is copyright of The MITRE Corporation unless otherwise specified. Use of the Common Weakness Enumeration and the associated references on this website are subject to the Terms of Use as specified by The MITRE Corporation.