SiteShadow
Back to vulnerability library
Detected byCWE-aware static analysisPro

CWE-657 Violation of Secure Design Principles

Coverage: 5 rules in the SiteShadow rule registry target this CWE (registry v2.0.0). Regex 5 Also: Taint and heuristic analyzers may also detect related flows (see coverage for the authoritative list) Registry tagging shows intent, for sample-level behaviour and benchmarked gaps see known gaps.

What this means

SiteShadow flagged patterns that suggest insecure design choices rather than a single bug. This usually means a feature is built in a way that makes it easy to misuse (or hard to secure) across the system.

Why it matters

Insecure design choices create systemic risk.

Safer examples

1) "Secure by default" for new features

Make the safe behavior the default (auth required, least privilege, strict validation), and require explicit opt-in for risky behavior.

2) Define trust boundaries and enforce them

Treat all client input as untrusted; re-check authorization server-side; avoid client-controlled "critical state" (see CWE-501 / CWE-642).

3) Use threat modeling for high-risk flows

Payments, auth/session, file handling, and admin capabilities should have a basic threat model and abuse-case tests.

How SiteShadow detects it (high level)

References

---

← Back to Vulnerability Library

Catch this with SiteShadow Pro.

This vulnerability class is detected by SiteShadow's Pro-tier engines, two-pass interprocedural taint analysis, heuristic flow checks, AI-context scanning, and cross-file detection. The free tier catches OWASP Top 10 single-file patterns; Pro adds the data-flow depth that finds this class of bug.