| Yellow Belt : Missing Authentication for Critical Function |
CWE 306 |
A07 |
6.5.10, 6.5.8 |
| Yellow Belt : Reliance on Untrusted Inputs in a Security Decision |
CWE 807 |
A04 |
6.5.10. 6.5.8 |
| Yellow Belt : Missing Authorization |
CWE 862 |
A01 |
6.5.10 |
| Orange Belt : Missing Encryption of Sensitive Data |
CWE 311 |
A04 |
6.5.3, 6.5.4 |
| Orange Belt : Use of a Broken or Risky Cryptographic Algorithm |
CWE 327 |
A02 |
6.5.3, 6.5.4 |
| Orange Belt : Use of a One-Way Hash without a Salt |
CWE 759 |
A02 |
6.5.3, 6.5.4 |
| Green Belt : Password Guessing Attack |
CWE 307; CWE 798 |
A07 |
6.5.10 |
| Green Belt : Integer Overflow or Wraparound |
CWE 190 |
N/A |
N/A |
| Green Belt : Download of Code Without Integrity Check |
CWE 494 |
A08 |
N/A |
| Purple Belt : URL Redirection to Untrusted Site ('Open Redirect') |
CWE 601 |
A01 |
N/A |
| Purple Belt : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') and related flaws |
CWE 79; CWE 829 |
A03; A08 |
6.5.7 |
| Purple Belt : Cross-Site Request Forgery (CSRF) |
CWE 352 |
A01 |
6.5.9 |
| Blue Belt : Unrestricted Upload of File with Dangerous Type |
CWE 434 |
A04 |
6.5.8 |
| Blue Belt : Improper Restriction of XML External Entity Reference ('XXE') |
CWE 611 |
A05 |
6.5.1 |
| Blue Belt : Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
CWE 22 |
A01 |
6.5.8 |
| Brown Belt : Incorrect Authorization |
CWE 863 |
A01 |
6.5.4 |
| Brown Belt : Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') and related flaws |
CWE 78; CWE 250; CWE 732 |
A03 |
6.5.1 |
| Brown Belt : Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
CWE 89 |
A03 |
6.5.1, 6.5.5 |
| Black Belt : Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') and related flaws |
CWE 120; CWE 676 |
N/A |
6.5.2 |
| Black Belt : Use of Externally-Controlled Format String |
CWE 134 |
N/A |
N/A |
| Black Belt : Quiz |
All of the above |
All of the above |
All of the above |
| Second Degree Black Belt : Security Misconfiguration |
N/A |
A05 |
N/A |
| Second Degree Black Belt : Sensitive Data Exposure |
CWE 311; CWE 327; CWE 759 |
A04; A02 |
6.5.3, 6.5.4 |
| Second Degree Black Belt : Broken Authentication & Broken Access Control |
CWE 306; CWE 862 |
A07; A01 |
6.5.10, 6.5.8 |
| Second Degree Black Belt : Cross-Site Scripting |
CWE 79 |
A03 |
6.5.7 |
| Second Degree Black Belt : Injection |
CWE 78 |
A03 |
6.5.1 |
| Second Degree Black Belt : XML External Entities |
CWE 611 |
A05 |
6.5.1 |
| Second Degree Black Belt : Using Components with Known Vulnerabilities & Insecure Deserialization |
CWE 509 |
N/A |
6.5.1 |
| Security Code Review Master : Input Validation |
Various |
Various |
Various |
| Security Code Review Master : Parameterized Statements |
CWE 78; CWE 89; |
A03 |
6.5.1 |
| Security Code Review Master : Memory Best Practices |
CWE 120; CWE 131; CWE 193; CWE 134 |
N/A |
6.5.2 |
| Security Code Review Master : Protecting Data |
CWE 311; CWE 312; CWE 759; CWE 319; CWE 327 |
A04; A02 |
6.5.3, 6.5.4 |
| Security Code Review Master : Preventing Cross-Site Scripting |
CWE 79; |
A03 |
6.5.7 |
| Security Code Review Master : Indirect Object References |
CWE 22; CWE 601 |
A01 |
6.5.8 |