CWE-1076: Insufficient Adherence to Expected Conventions

What is Insufficient Adherence to Expected Conventions?

• Overview: Insufficient Adherence to Expected Conventions refers to the failure of a product's architecture, source code, design, or documentation to follow established conventions, which complicates maintenance and can lead to security vulnerabilities.

• Exploitation Methods:

• Attackers can exploit this vulnerability by taking advantage of inconsistencies or errors introduced through unconventional practices.
• Common attack patterns include targeting overlooked or misunderstood code paths and exploiting misconfigurations resulting from non-standard implementations.

• Security Impact:

• Direct consequences of successful exploitation include increased difficulty in finding and fixing vulnerabilities, leading to potential security breaches.
• Potential cascading effects involve the introduction of new vulnerabilities over time as the codebase becomes harder to maintain and understand.
• Business impact can include financial loss, damage to reputation, and increased costs associated with remediation and compliance efforts.

• Prevention Guidelines:

• Specific code-level fixes include adhering to coding standards, implementing code reviews, and ensuring consistent documentation.
• Security best practices involve regular audits of code and design to ensure adherence to conventions and best practices.
• Recommended tools and frameworks include using static analysis tools to detect deviations from conventions and employing integrated development environments (IDEs) that enforce coding standards.

Corgea can automatically detect and fix Insufficient Adherence to Expected Conventions in your codebase. Try Corgea free today.

Technical Details

Likelihood of Exploit: Not specified

Affected Languages: Not specified

Affected Technologies: Not specified