Re: [EXT] Proposal: Add "Insecure default" as a general CWE category (per "Secure-by-design" paper)

> On Jan 9, 2024, at 3: 56 PM, Hatfield, Arthur wrote: > > I do believe that applications, passwords, and protocols count as “resources,” and that the default configuration that ships with an application, ZjQcmQRYFpfptBannerStart This Message Is From an External Sender

Re: [EXT] Proposal: Add "Insecure default" as a general CWE category (per "Secure-by-design" paper)

I do believe that applications, passwords, and protocols count as “resources,” and that the default configuration that ships with an application, or is engineered into a system, would count as the “initialization” of that “resource.” That said, could CWE-1188 get some better demonstrative examp

Re: [EXT] Proposal: Add "Insecure default" as a general CWE category (per "Secure-by-design" paper)

> On Jan 8, 2024, at 6: 43 AM, Przemyslaw Roguski wrote: > > Hello Everyone and Happy New Year to all of you! > > David, in my opinion the CWE-1188: Initialization of a Resource with an Insecure Default ZjQcmQRYFpfptBannerStart This Message Is From an External Sender

Re: [EXT] Proposal: Add "Insecure default" as a general CWE category (per "Secure-by-design" paper)

Hello Everyone and Happy New Year to all of you! David, in my opinion the CWE-1188: Initialization of a Resource with an Insecure Default describes your "insecure default" general use case pretty well. See the extended description: "Developers oft