An API is a contract between a caller and a callee. The most common forms of API abuse are caused by the caller failing to honor its end of this contract. For example, if a program fails to call chdir() after calling chroot(), it violates the contract that specifies how to change the active root directory in a secure fashion.

Authentication Vulnerability, Allowing password aging, Authentication Error, Using single-factor authentication, Weak credentials, Authentication bypass by spoofing, Empty String Password

Insufficient privileges, Least Privilege Violation, Missing access control, Permissions, Privileges, and ACLs, Sensitive Data Under Web Root

Code Permission Vulnerability

This category includes everything that is outside of the source code but is still critical to the security of the product that is being created. Because the issues covered by this kingdom are not directly related to source code, we separated it from the rest of the kingdoms.

Code Quality Vulnerability, Code Correctness, Dead Code, Double Free, Memory Leak, Poor Logging, Null Dereference, Unreleased Resource, Undefined Behavior, Portability Flaw, Using freed memory

Vulnerabilities that related to cryptographic modules. Algorithm Problems, Implementation errors, Use non-standard cryptographic implementations/libraries, Key Management Problems, Weak keys, not random enough, Random Number Generator (RNG) Problems

Error Handling Vulnerability, Catch NullPointerException, Improper error handling

Input Validation Vulnerability, Argument Injection or Modification, Buffer Overflow, Process Control