NSA Center for Assured Software (CAS)

The NSA Center for Assured Software (CAS) defines the following Weakness Classes in its "Static Analysis Tool Study - Methodology" [1]:

Weakness Class Example Weakness (CWE Entry [2])
Authentication and Access Control CWE-620: Unverified Password Change
Buffer Handling CWE-121: Stack-based Buffer Overflow
Code Quality CWE-561: Dead Code
Control Flow Management CWE-362: Race Condition
Encryption and Randomness CWE-328: Reversible One-Way Hash
Error Handling CWE-252: Unchecked Return Value
File Handling CWE-23: Relative Path Traversal
Information Leaks CWE-534: Information Leak Through Debug Log Files
Initialization and Shutdown CWE-415: Double Free
Injection CWE-89: SQL Injection
Malicious Logic CWE-506: Embedded Malicious Code
Miscellaneous CWE-480: Use of Incorrect Operator
Number Handling CWE-369: Divide by Zero
Pointer and Reference Handling CWE-476: Null Pointer Dereference