You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Next »

The following rules are supported for .NET projects (the rules marked with * are not supported for .NET projects in VB.NET): 

APSC_DV.000160.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.000160.RSAKS - Use RSA keys of 2048 bits or longer 
APSC_DV.000160.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.000170.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.000170.RSAKS - Use RSA keys of 2048 bits or longer 
APSC_DV.000170.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.000460.UAA - Use authorization attributes on pages and controllers 
APSC_DV.000500.AUEP - Avoid using elevated privileges. 
APSC_DV.000510.ISE - Ensure sufficient session expiration 
APSC_DV.000510.UAA - Use authorization attributes on pages and controllers 
APSC_DV.000530.LUAFLA - Lock out the user after failed login attempts 
APSC_DV.000650.ALSI - Avoid logging sensitive information 
APSC_DV.001460.AAM - Add authorization services to MVC Core 
APSC_DV.001460.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.001460.ALSI - Avoid logging sensitive information 
APSC_DV.001460.AUEP - Avoid using elevated privileges. 
APSC_DV.001460.AXSSE - Enable anti-XSS protection in Web.config files 
APSC_DV.001460.CSP - Enable Content Security Policy in Web.config files 
APSC_DV.001460.DNICV - Do not disable SSL certificate validation 
APSC_DV.001460.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields. 
APSC_DV.001460.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
APSC_DV.001460.IREC - Do not execute external code without integrity check. 
APSC_DV.001460.ISE - Ensure sufficient session expiration 
APSC_DV.001460.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
APSC_DV.001460.LUAFLA - Lock out the user after failed login attempts 
APSC_DV.001460.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
APSC_DV.001460.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
APSC_DV.001460.PBRTE - Always specify absolute path to execute commands 
APSC_DV.001460.PDTDP - Prevent DTD processing 
APSC_DV.001460.RSAKS - Use RSA keys of 2048 bits or longer 
APSC_DV.001460.RSFSS - Do not re-create string from SecureString. 
APSC_DV.001460.SDE - Avoid inclusion of sensitive data in exception 
APSC_DV.001460.SSFP - Use SecureString instead of String for password. 
APSC_DV.001460.UAA - Use authorization attributes on pages and controllers 
APSC_DV.001460.UAAMC - Ensure that authorization attributes match the controller 
APSC_DV.001460.UIS - Use the standard pattern while implementing ISerializable. 
APSC_DV.001460.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.001460.VAFT - Use anti-forgery attributes on POST methods 
APSC_DV.001460.VLT - Validate shortcut target paths before use 
APSC_DV.001660.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.001860.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.001860.UOWR - Use OAEP with RSA algorithm encryption.
APSC_DV.001995.LOCKSETGET - Lock both when either set or get is locked for a property
APSC_DV.002000.ISE - Ensure sufficient session expiration 
APSC_DV.002010.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.002010.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.002290.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.002290.UOWR - Use OAEP with RSA algorithm encryption. 
APSC_DV.002350.ACCA - Avoid using custom cryptographic algorithms. 
APSC_DV.002350.UOWR - Use OAEP with RSA algorithm encryption. 
ARRU.NGLVD* - Do not declare local variables of non-generic collections types
BD.API.EQREFL - Make sure implementation of Object.Equals(Object) is reflexive
BD.CO.ITMOD - Do not modify collection while iterating over it
BD.EXCEPT.AN - Avoid ArgumentNullException
BD.EXCEPT.NR - Avoid NullReferenceException
BD.PB.ARRAY - Avoid accessing arrays out of bounds
BD.PB.CC - Avoid conditions that always evaluate to the same value
BD.PB.CHECKRET - Consistently check the returned value of non-void methods
BD.PB.DEREF - Avoid dereferencing before checking for null
BD.PB.DISP - Do not use disposed resources
BD.PB.EVIPT - Ensure that invoke parameter type correspond to delegate definition
BD.PB.FIN - Do not use managed resources in finalizers
BD.PB.INTOVERF - Avoid integer overflows
BD.PB.NOTEXPLINIT - Avoid use before explicit initialization
BD.PB.POVR - Avoid overwriting method parameters before each use
BD.PB.SBONE - Ensure proper usage of StringBuilder objects
BD.PB.STRNULL - Do not append null value to strings
BD.PB.SWITCH - Avoid switch with unreachable branches
BD.PB.UGHC - Do not base equality on the equality of hash codes
BD.PB.VOVR - Avoid unused values
BD.PB.ZERO - Avoid division by zero
BD.RES.LEAKS - Ensure resources are deallocated
BD.SECURITY.AUTH - Prevent untrusted inputs that may affect authorization
BD.SECURITY.CUSTOM - Prevent security vulnerability (custom rule)
BD.SECURITY.IDENTITY - Always revert the context of an impersonated user to the previous identity
BD.SECURITY.SALT - Ensure that a random salt is used
BD.SECURITY.SENS - Prevent exposure of sensitive data
BD.SECURITY.SENSLOG - Avoid passing sensitive data to functions that write to log files
BD.SECURITY.TDALLOC - Validate potentially tainted data before it is used to determine the size of memory allocation
BD.SECURITY.TDCMD - Protect against command injection
BD.SECURITY.TDCODE - Validate potentially tainted data before it is used in methods that generate code
BD.SECURITY.TDFNAMES - Protect against file name injection
BD.SECURITY.TDINPUT - Exclude unsanitized user input from format strings
BD.SECURITY.TDLDAP - Protect against LDAP injection
BD.SECURITY.TDLOG - Protect against log forging
BD.SECURITY.TDNET - Protect against network resource injection
BD.SECURITY.TDPASSWD - Protect against using unprotected credentials
BD.SECURITY.TDRESP - Protect against HTTP response splitting
BD.SECURITY.TDRFL - Protect against Reflection injection
BD.SECURITY.TDSQL - Protect against SQL query injection
BD.SECURITY.TDSQLC - Protect against SQL connection injection
BD.SECURITY.TDXSS - Protect against XSS vulnerabilities
BD.SECURITY.USXRS - Use object with secure XmlResolver property
BD.TRS.DIFCS - Variable should be used in context of single critical section
BD.TRS.INSTLOCK - Do not use an instance lock to protect shared static data
BD.TRS.MUTEX - Do not abandon unreleased mutexes
BD.TRS.ORDER - Do not acquire locks in different order
BRM.BOOLNEGNAME* - Use positive instead of negative terms for naming properies/methods that return a 'boolean'
BRM.CMT.MSC - Members should be commented 
BRM.CMT.TSC - Types should be commented 
BRM.COLLPLURALNAME* - Use plural name for a property of type collection/array and avoid collection/array in the name
BRM.HBCM - Avoid hiding methods from base classes 
BRM.HBCP - Avoid hiding properties from base classes
BRM.ISPREFIX* - Use 'Is...' only for naming methods that return a "boolean" 
BRM.LINUPPERCASE - Use 'L' instead of 'l' to express 'long' integer constants 
BRM.MLL - Keep line length within predefined parameters 
BRM.SFH - Always provide appropriate file header (copyright information, etc.) 
BRM.SFT - Use spaces for tabs/indentation
CDD.DUPC - Avoid code duplication
CDD.DUPM - Avoid method duplication
CDD.DUPS - Avoid string literal duplication
CDD.DUPT - Avoid types duplication
CLS.ACAC* - Provide the same accessibility for the property and its accessors
CLS.CONV* - Provide alternate methods for conversion if you provide conversion operators
CLS.ENTY* - Make the underlying type of enum an inegral type
CLS.NOOO* - Do not use operator overloading if you want to be CLS compliant
CLS.NOPT* - Do not use pointer types if you want to be CLS-compliant
CLS.PRMT* - Use only CLS-compliant primitive types
CLS.TYPR* - Avoid using typed references 
CMUG.MU.AUPM - Avoid unused private methods
CMUG.MU.VALRETURN* - Do not use value types for returning values from methods or properties
CMUG.PRU.DPAV* - Declare properties in classes that derive from classes using nHibernate as virtual  
CS.BRM.AIBA - Avoid 'is' before 'as' 
CS.BRM.BEB - Avoid block statements with empty bodies. 
CS.BRM.CCB - Always enclose if and else bodies with curly braces 
CS.BRM.CPEB - Avoid checked, unchecked, fixed and unsafe statements with empty bodies. 
CS.BRM.ES - Use string.Empty for empty strings 
CS.BRM.ETK - Use keyword 'this' explicitly when accessing capitalized members 
CS.BRM.ICB - Always enclose iteration statements bodies with curly braces. 
CS.BRM.IDOU - Avoid increment/decrement operators inside other expressions. 
CS.BRM.IEB - Avoid initialization statements with empty bodies. 
CS.BRM.KFATNC - Keep file and type names consistent 
CS.BRM.RFINE - Do not use large if-clause with small else-clause that returns. 
CS.BRM.SCHR - Avoid using the Strings.Chr() and Strings.ChrW() methods in C# code. 
CS.BRM.SWDEFLAST - Place 'default' as the last case of the 'switch' statement 
CS.BRM.UCB - Always enclose using statement body with curly braces. 
CS.BRM.UCO - Use null-coalescing operator ('??') instead conditional operator ('?') 
CS.CDD.DUPU - Avoid duplicate using statements 
CS.CMUG.PRU.FSPP - Follow standard pattern for property accessors. 
CS.EU.VZS - Ensure that each enum has member with value 0 
CS.IFD.DNPTHIS - Do not pass a reference to 'this' from inside a destructor or dispose method
CS.INTER.ITT - String literals should be internationalized 
CS.MCI* - Avoid multiple classes or interfaces in a single file 
CS.MLC - Avoid using very large methods 
CS.NG.VAR.PNCFV - Follow proper naming convention for method variables and consts. 
CS.OOM.CAST2CONCRETE - Avoid casts to concrete Collection types
CS.OOM.MI - Keep Maintainability Index above specified value. 
CS.PB.ANIL - Avoid non-iterable loops. 
CS.PB.AWC - Avoid assignment within a condition. 
CS.PB.BITBOOL - Do not use bitwise operators on bool operands. 
CS.PB.CCA - Avoid confusing assignments to constructor arguments. 
CS.PB.CEB - Avoid conditional statements with empty bodies. 
CS.PB.CNFA - Check for 'null' when using 'as' operator 
CS.PB.DEFSWITCH - Provide 'default:' for each 'switch' statement. 
CS.PB.EEB - Avoid try, catch, finally and using statements with empty bodies. 
CS.PB.FPLI - Do not use floating point variables as loop indices. 
CS.PB.IDNE - Avoid increment and decrement statements which have no effect 
CS.PB.IEB - Avoid iteration statements with empty bodies. 
CS.PB.IVFLC - Use initializer variable in a condition of 'for' loop 
CS.PB.IVFLI - Use initializer variable in 'for' loop iterator section. 
CS.PB.MCO - Review '?:' operator for potential misuse. 
CS.PB.NACC - Avoid inaccessible classes and structs. 
CS.PB.NSIVFLB - Do not modify 'for' loop initializer variable in 'for' loop body. 
CS.PB.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements. 
CS.PB.PUO - Avoid using the unary + operator
CS.PB.SHIFT - Do not use an integer outside the range of [0, 31] as the amount of a shift 
CS.PB.USC.CC - Avoid unreachable code in condition 
CS.PB.USC.UC - Avoid unreachable code 
CS.PB.VTNV - Do not compare value types to null 
CS.PB.WIBS - Avoid wrong indentation of blockless statements 
CS.PE.VFFP - Verify FileDialog filter pattern. 
CS.PFEL - Use foreach loops instead of for loops 
CS.PROTC - Prefer readonly to const 
CS.SC - Cast only simple expressions 
CS.SEC.AUK - Avoid 'unsafe' keyword. 
CS.SEC.RSFSS - Do not re-create string from SecureString. 
CS.SEC.SSFP - Use SecureString instead of String for password. 
CS.SERIAL.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields. 
CS.SERIAL.SOIS - Do not store non-serializable objects in Session. 
CS.SERIAL.UIS - Use the standard pattern while implementing ISerializable. 
CS.SMC - Avoid "switch" statements with many "case" statements
CS.TRS.LCB - Always enclose lock statement body with curly braces. 
CS.TRS.LEB - Avoid lock statements with empty bodies. 
CS.TRS.LOCKSETGET - Lock both when either set or get is locked for a property
CS.USO - Put using statements in alphabetical order 
CT.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation 
CT.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results 
CWE.120.AUK - Avoid 'unsafe' keyword. 
CWE.131.AUK - Avoid 'unsafe' keyword. 
CWE.1321.SDE - Avoid inclusion of sensitive data in exception 
CWE.1386.VLT - Validate shortcut target paths before use 
CWE.190.AIOAC - Avoid possible integer overflow in assignment and comparison expressions 
CWE.190.AIWIL - Avoid indexer wraparound in loops. 
CWE.191.AIOAC - Avoid possible integer overflow in assignment and comparison expressions 
CWE.191.AIWIL - Avoid indexer wraparound in loops. 
CWE.197.ECLSII - Avoid explicit conversions of integrals to integrals of smaller size if the conversion may cause data truncation 
CWE.200.SDE - Avoid inclusion of sensitive data in exception 
CWE.209.SDE - Avoid inclusion of sensitive data in exception 
CWE.250.AUEP - Avoid using elevated privileges. 
CWE.269.AAM - Add authorization services to MVC Core 
CWE.269.UAAMC - Ensure that authorization attributes match the controller 
CWE.287.AAM - Add authorization services to MVC Core 
CWE.287.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
CWE.287.LUAFLA - Lock out the user after failed login attempts 
CWE.287.UAAMC - Ensure that authorization attributes match the controller 
CWE.295.DNICV - Do not disable SSL certificate validation 
CWE.307.LUAFLA - Lock out the user after failed login attempts 
CWE.316.RSFSS - Do not re-create string from SecureString. 
CWE.316.SSFP - Use SecureString instead of String for password. 
CWE.326.RSAKS - Use RSA keys of 2048 bits or longer 
CWE.327.ACCA - Avoid using custom cryptographic algorithms. 
CWE.329.ACCA - Avoid using custom cryptographic algorithms. 
CWE.350.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
CWE.352.VAFT - Use anti-forgery attributes on POST methods 
CWE.362.LOCKSETGET - Lock both when either set or get is locked for a property
CWE.391.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
CWE.396.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
CWE.397.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
CWE.426.PBRTE - Always specify absolute path to execute commands 
CWE.427.DNICV - Do not disable SSL certificate validation 
CWE.476.CNFA - Check for 'null' when using 'as' operator 
CWE.480.PUO - Avoid using the unary + operator 
CWE.481.AWC - Avoid assignment within a condition. 
CWE.494.IREC - Do not execute external code without integrity check. 
CWE.502.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields. 
CWE.502.UIS - Use the standard pattern while implementing ISerializable. 
CWE.522.VLT - Validate shortcut target paths before use 
CWE.532.ALSI - Avoid logging sensitive information 
CWE.546.TODO - Ensure that comments do not contain task tags 
CWE.561.UC - Avoid unreachable code 
CWE.59.VLT - Validate shortcut target paths before use 
CWE.595.REVT - Do not use ReferenceEquals() on value types. 
CWE.611.PDTDP - Prevent DTD processing 
CWE.613.ISE - Ensure sufficient session expiration 
CWE.617.ATA - Do not use the Trace.Assert() method in production code 
CWE.64.VLT - Validate shortcut target paths before use 
CWE.676.APDM - Avoid using potentially dangerous methods. 
CWE.681.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results 
CWE.770.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object 
CWE.780.UOWR - Use OAEP with RSA algorithm encryption. 
CWE.79.AXSSE - Enable anti-XSS protection in Web.config files 
CWE.79.CSP - Enable Content Security Policy in Web.config files 
CWE.827.PDTDP - Prevent DTD processing 
CWE.835.IVFLC - Use initializer variable in a condition of 'for' loop 
CWE.835.IVFLI - Use initializer variable in 'for' loop iterator section. 
CWE.835.NSIVFLN - Do not increment or decrement on the same variable over multiple nested 'for' loop statements. 
CWE.838.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods 
CWE.862.UAA - Use authorization attributes on pages and controllers 
CWE.863.AAM - Add authorization services to MVC Core 
CWE.863.UAAMC - Ensure that authorization attributes match the controller 
EXCEPT.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
EXCEPT.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
IFD.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing. 
IFD.IDDR - Implement IDisposable in types which are using disposable resources
INTER.RI - Make sure that all string's from *.resx files are internationalized
OOM.LNDM* - Avoid a large number of data members per class
OOM.LNMM* - Avoid a large number of methods per class
OOM.LNPBD* - Avoid a large number of public data members per class
OOM.LNPBM* - Avoid a large number of public methods per class
OOM.LNPM* - Avoid a large number of parameters per method
OOM.LNPTD* - Avoid a large number of protected data members per class
OOM.LNPTM* - Avoid a large number of protected methods per class
OOM.LNPVD* - Avoid a large number of private data members per class
OOM.LNPVM* - Avoid a large number of private methods per class
OOM.MLCI* - Avoid too many levels of class inheritance 
OPU.CPNEQ - Compare parameter of Equals(Object) method to null 
OPU.CPTEQ - Compare parameter type of Equals(Object) method
OPU.NOREFEQUAL* - Do not override ReferenceEquals() method
OPU.NOSTATICEQUAL* - Do not override static Object.Equals() metho 
OPU.REVT - Do not use ReferenceEquals() on value types. 
OWASP_ASVS_403.V1_5_2.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP_ASVS_403.V1_5_2.UIS - Use the standard pattern while implementing ISerializable
OWASP_ASVS_403.V1_11_2.LOCKSETGET - Lock both when either set or get is locked for a property
OWASP_ASVS_403.V5_5_1.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields
OWASP_ASVS_403.V5_5_1.UIS - Use the standard pattern while implementing ISerializable
OWASP2017.A10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
OWASP2017.A2.ISE - Ensure sufficient session expiration 
OWASP2017.A2.LUAFLA - Lock out the user after failed login attempts 
OWASP2017.A3.ACCA - Avoid using custom cryptographic algorithms. 
OWASP2017.A3.ALSI - Avoid logging sensitive information 
OWASP2017.A3.DNICV - Do not disable SSL certificate validation 
OWASP2017.A3.RSFSS - Do not re-create string from SecureString. 
OWASP2017.A3.SDE - Avoid inclusion of sensitive data in exception 
OWASP2017.A3.SSFP - Use SecureString instead of String for password. 
OWASP2017.A3.UOWR - Use OAEP with RSA algorithm encryption. 
OWASP2017.A4.PDTDP - Prevent DTD processing 
OWASP2017.A5.AAM - Add authorization services to MVC Core 
OWASP2017.A5.AUEP - Avoid using elevated privileges. 
OWASP2017.A5.UAA - Use authorization attributes on pages and controllers 
OWASP2017.A5.UAAMC - Ensure that authorization attributes match the controller 
OWASP2017.A5.VAFT - Use anti-forgery attributes on POST methods 
OWASP2017.A6.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2017.A6.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2017.A7.AXSSE - Enable anti-XSS protection in Web.config files 
OWASP2017.A7.CSP - Enable Content Security Policy in Web.config files 
OWASP2017.A8.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields. 
OWASP2017.A8.UIS - Use the standard pattern while implementing ISerializable. 
OWASP2019.API10.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
OWASP2019.API2.LUAFLA - Lock out the user after failed login attempts 
OWASP2019.API2.RSFSS - Do not re-create string from SecureString. 
OWASP2019.API2.SSFP - Use SecureString instead of String for password. 
OWASP2019.API3.ACCA - Avoid using custom cryptographic algorithms. 
OWASP2019.API3.ALSI - Avoid logging sensitive information 
OWASP2019.API3.ATA - Do not use the Trace.Assert() method in production code 
OWASP2019.API3.SDE - Avoid inclusion of sensitive data in exception 
OWASP2019.API3.UOWR - Use OAEP with RSA algorithm encryption. 
OWASP2019.API4.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object 
OWASP2019.API5.AAM - Add authorization services to MVC Core 
OWASP2019.API5.ISE - Ensure sufficient session expiration 
OWASP2019.API5.UAA - Use authorization attributes on pages and controllers 
OWASP2019.API5.UAAMC - Ensure that authorization attributes match the controller 
OWASP2019.API7.DNICV - Do not disable SSL certificate validation 
OWASP2019.API7.ECLTS - Avoid explicit conversions between data types if the conversion may cause data loss or unexpected results 
OWASP2019.API7.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2019.API7.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2019.API8.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods 
OWASP2019.API8.AUK - Avoid 'unsafe' keyword. 
OWASP2019.API8.IREC - Do not execute external code without integrity check. 
OWASP2019.API8.PBRTE - Always specify absolute path to execute commands 
OWASP2019.API8.PDTDP - Prevent DTD processing 
OWASP2021.A1.AAM - Add authorization services to MVC Core 
OWASP2021.A1.AUEP - Avoid using elevated privileges. 
OWASP2021.A1.DNICV - Do not disable SSL certificate validation 
OWASP2021.A1.UAA - Use authorization attributes on pages and controllers 
OWASP2021.A1.UAAMC - Ensure that authorization attributes match the controller 
OWASP2021.A1.VAFT - Use anti-forgery attributes on POST methods 
OWASP2021.A1.VLT - Validate shortcut target paths before use 
OWASP2021.A2.ACCA - Avoid using custom cryptographic algorithms. 
OWASP2021.A2.RSAKS - Use RSA keys of 2048 bits or longer 
OWASP2021.A2.UOWR - Use OAEP with RSA algorithm encryption. 
OWASP2021.A3.AXSSE - Enable anti-XSS protection in Web.config files 
OWASP2021.A3.CSP - Enable Content Security Policy in Web.config files 
OWASP2021.A4.RSFSS - Do not re-create string from SecureString. 
OWASP2021.A4.SDE - Avoid inclusion of sensitive data in exception 
OWASP2021.A4.SSFP - Use SecureString instead of String for password. 
OWASP2021.A5.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2021.A5.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
OWASP2021.A5.PDTDP - Prevent DTD processing 
OWASP2021.A7.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
OWASP2021.A7.ISE - Ensure sufficient session expiration 
OWASP2021.A7.LUAFLA - Lock out the user after failed login attempts 
OWASP2021.A8.IIDC - Implement IDeserializationCallback for classes with NonSerialized fields. 
OWASP2021.A8.IREC - Do not execute external code without integrity check. 
OWASP2021.A8.PBRTE - Always specify absolute path to execute commands 
OWASP2021.A8.UIS - Use the standard pattern while implementing ISerializable. 
OWASP2021.A9.ALSI - Avoid logging sensitive information 
OWASP2021.A9.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
PB.ACDE - Avoid calling the Application.DoEvents() method 
PB.AIHUE - Avoid using improper HTML or URL encoding in HttpResponse methods 
PB.AIOAC - Avoid possible integer overflow in assignment and comparison expressions 
PB.CFF - Verify number of arguments in Composite Formatting feature 
PB.DNCF - Do not compare floating-point types for equality. 
PB.EMPTYMETHODS - Avoid empty methods 
PB.II.TODO - Ensure that comments do not contain task tags 
PB.INOE - Use String.IsNullOrEmpty to check if a string is null or empty 
PB.OCTESC* - Avoid suspicious octal escapes. 
PB.STATICFLD - Do not write to static fields from non-static methods 
PB.THROWFIN - Avoid 'throw' statements in 'finally' blocks. 
PCIDSS32.6510.ISE - Ensure sufficient session expiration 
PCIDSS32.6510.LUAFLA - Lock out the user after failed login attempts 
PCIDSS32.652.AUK - Avoid 'unsafe' keyword. 
PCIDSS32.653.ACCA - Avoid using custom cryptographic algorithms. 
PCIDSS32.653.RSFSS - Do not re-create string from SecureString. 
PCIDSS32.653.SSFP - Use SecureString instead of String for password. 
PCIDSS32.653.UOWR - Use OAEP with RSA algorithm encryption. 
PCIDSS32.654.RSFSS - Do not re-create string from SecureString. 
PCIDSS32.654.SSFP - Use SecureString instead of String for password. 
PCIDSS32.655.ATA - Do not use the Trace.Assert() method in production code 
PCIDSS32.655.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
PCIDSS32.655.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
PCIDSS32.655.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
PCIDSS32.657.AXSSE - Enable anti-XSS protection in Web.config files 
PCIDSS32.657.CSP - Enable Content Security Policy in Web.config files 
PCIDSS32.658.AAM - Add authorization services to MVC Core 
PCIDSS32.658.AUEP - Avoid using elevated privileges. 
PCIDSS32.658.PBRTE - Always specify absolute path to execute commands 
PCIDSS32.658.UAA - Use authorization attributes on pages and controllers 
PCIDSS32.658.UAAMC - Ensure that authorization attributes match the controller 
PCIDSS32.659.VAFT - Use anti-forgery attributes on POST methods 
PCIDSS40.6242.AIWIL - Avoid indexer wraparound in loops. 
PCIDSS40.6242.AUK - Avoid 'unsafe' keyword. 
PCIDSS40.6243.ACCA - Avoid using custom cryptographic algorithms. 
PCIDSS40.6243.RSFSS - Do not re-create string from SecureString. 
PCIDSS40.6243.SSFP - Use SecureString instead of String for password. 
PCIDSS40.6243.UOWR - Use OAEP with RSA algorithm encryption. 
PCIDSS40.6244.ATA - Do not use the Trace.Assert() method in production code 
PCIDSS40.6244.AXSSE - Enable anti-XSS protection in Web.config files 
PCIDSS40.6244.CSP - Enable Content Security Policy in Web.config files 
PCIDSS40.6244.LGE - Ensure all exceptions are either logged with a standard logger or rethrown. 
PCIDSS40.6244.NCSAE - Avoid the use of "catch" on 'Exception', 'SystemException' or 'ApplicationException' 
PCIDSS40.6244.NTSAE - Avoid throwing 'Exception', 'SystemException' or 'ApplicationException' 
PCIDSS40.6244.SDE - Avoid inclusion of sensitive data in exception 
PCIDSS40.6245.AAM - Add authorization services to MVC Core 
PCIDSS40.6245.AUEP - Avoid using elevated privileges. 
PCIDSS40.6245.DNICV - Do not disable SSL certificate validation 
PCIDSS40.6245.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
PCIDSS40.6245.ISE - Ensure sufficient session expiration 
PCIDSS40.6245.LUAFLA - Lock out the user after failed login attempts 
PCIDSS40.6245.PBRTE - Always specify absolute path to execute commands 
PCIDSS40.6245.UAA - Use authorization attributes on pages and controllers 
PCIDSS40.6245.UAAMC - Ensure that authorization attributes match the controller 
SEC.ACCA - Avoid using custom cryptographic algorithms. 
SEC.ACWNS - There should be no classes without namespace.
SEC.AFNRO* - Inspect array fields that are declared as readonly 
SEC.AIWIL - Avoid indexer wraparound in loops. 
SEC.ALSI - Avoid logging sensitive information 
SEC.APDM - Avoid using potentially dangerous methods.
SEC.APTIF* - Avoid protected instance fields that could be accessed by untrusted classes
SEC.ASNRF* - Inspect static fields that are not readonly and consider making them readonly 
SEC.ATA - Do not use the Trace.Assert() method in production code 
SEC.AUEP - Avoid using elevated privileges.
SEC.AUIC* - Avoid using public inner classes to prevent access from untrusted classes
SEC.AUSD - Inspect uses of System.DateTime for security holes
SEC.HPTR* - Make pointer type fields private 
SEC.IREC - Do not execute external code without integrity check. 
SEC.LGE - Ensure all exceptions are either logged with a standard logger or rethrown.
SEC.MCMF* - For security, avoid making your 'Clone()' method " virtual " 
SEC.PBRTE - Always specify absolute path to execute commands 
SEC.SMIII* - Seal methods which implement internal interfaces
SEC.RSAKS - Use RSA keys of 2048 bits or longer 
SEC.SDE - Avoid inclusion of sensitive data in exception 
SEC.UOWR - Use OAEP with RSA algorithm encryption. 
SEC.VLT - Validate shortcut target paths before use 
SEC.WEB.AAM - Add authorization services to MVC Core 
SEC.WEB.AXSSE - Enable anti-XSS protection in Web.config files 
SEC.WEB.CSP - Enable Content Security Policy in Web.config files 
SEC.WEB.DNICV - Do not disable SSL certificate validation 
SEC.WEB.IIPHEU - Do not rely on reverse DNS resolution for security decisions 
SEC.WEB.ISE - Ensure sufficient session expiration 
SEC.WEB.LUAFLA - Lock out the user after failed login attempts 
SEC.WEB.UAA - Use authorization attributes on pages and controllers 
SEC.WEB.UAAMC - Ensure that authorization attributes match the controller 
SEC.WEB.UHCF - Avoid instantiating the HttpClient class by creating a HttpClient object 
SEC.WEB.VAFT - Use anti-forgery attributes on POST methods 
SEC.XXE.PDTDP - Prevent DTD processing 
SERIAL.GETOBJ* - Call WriteObjectdata while implementing ISerializable.GetObjectData
SERIAL.XML.SOAFAP - Make sure that type of serialized field/property is compatible with type used in XmlElementAttribute 
SPR.HARDCONN* - Avoid hard coded connection strings 
SPR.SELSPLAT* - Avoid select * statements 
VB.BRM.ES - Use string.Empty for empty strings 
VB.BRM.PNPT - Use preferred names for primitive types 
VB.PB.DEFSWITCH - Provide 'Case Else' for each 'Select Case' statement 
VVSG.11_1_B.ALSI - Avoid logging sensitive information 
VVSG.11_3_1_A.AAM - Add authorization services to MVC Core 
VVSG.11_3_1_A.UAA - Use authorization attributes on pages and controllers 
VVSG.11_3_1_A.UAAMC - Ensure that authorization attributes match the controller 
VVSG.11_4_A.AUEP - Avoid using elevated privileges. 
VVSG.11_4_A.UAA - Use authorization attributes on pages and controllers 
VVSG.11_5_A.ISE - Ensure sufficient session expiration 
VVSG.11_5_C.LUAFLA - Lock out the user after failed login attempts 
VVSG.13_3_C.RSAKS - Use RSA keys of 2048 bits or longer 
VVSG.13_3_C.UOWR - Use OAEP with RSA algorithm encryption. 
VVSG.14_2_G.AUPM - Avoid unused private methods 
VVSG.14_2_G.NACC - Avoid inaccessible classes and structs. 
VVSG.14_2_G.UC - Avoid unreachable code 
VVSG.14_2_G.USCCC - Avoid unreachable code in condition 
VVSG.2_5_2_A.IREC - Do not execute external code without integrity check. 
VVSG.2_5_2_A.VAFT - Use anti-forgery attributes on POST methods 
VVSG.2_5_2_A.VLT - Validate shortcut target paths before use 
VVSG.2_5_4_C.AUK - Avoid 'unsafe' keyword. 
VVSG.2_5_4_F.AIOAC - Avoid possible integer overflow in assignment and comparison expressions 
VVSG.2_5_4_F.AIWIL - Avoid indexer wraparound in loops. 
VVSG.2_5_4_I.CNFA - Check for 'null' when using 'as' operator 
VVSG.2_5_4_J.DDFODB - In 'Dispose(bool)' use input parameter to check if it is actually disposing. 
VVSG.3_1_1_C.MSC - Members should be commented 
VVSG.3_1_1_C.TSC - Types should be commented 
VVSG.5_2_B.ITT - String literals should be internationalized 

  • No labels