Comprehensive Categorization: Component Interaction

A's behavior or functionality changes with a new version of A, or a new environment, which is not known (or manageable) by B.

The developer builds a security-critical protection mechanism into the software, but the compiler optimizes the program such that the mechanism is removed or modified.

Sensitive memory is cleared according to the source code, but compiler optimizations leave the memory untouched when it is not read from again, aka "dead store removal."

An interaction error occurs when two entities have correct behavior when running independently of each other, but when they are integrated as components in a larger sy...

A product acts as an intermediary or monitor between two or more endpoints, but it does not have a complete model of an endpoint's features, behaviors, or state, poten...

The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but i...

The product uses a mechanism that automatically optimizes code, e.g. to improve a characteristic such as performance, but the optimizations can have an unintended side...

Product A handles inputs or steps differently than Product B, which causes A to perform incorrect actions based on its perception of B's state.

The product misinterprets an input, whether from an attacker or another product, in a security-relevant fashion.

The developer builds a security-critical protection mechanism into the software, but the processor optimizes the execution of the program such that the mechanism is re...

The server contains a protection mechanism that assumes that any URI that is accessed using HTTP GET will not cause a state change to the associated resource. This mig...

This view organizes weaknesses around categories that are of interest to large-scale software assurance research to support the elimination of weaknesses using ta...