Top 25 Most Dangerous Software Errors (2011 CWE/SANS List)

The 2011 CWE/SANS Top 25 Most Dangerous Software Errors is a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

The Top 25 list is a tool for education and awareness to help programmers to prevent the kinds of vulnerabilities that plague the software industry, by identifying and avoiding all-too-common mistakes that occur before software is even shipped. SQL Injection, OS Command Injection, Classic Buffer Overflow and Cross-site Scripting tops the list.

Software customers can use the same list to help them to ask for more secure software. Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses. Finally, software managers and CIOs can use the Top 25 list as a measuring stick of progress in their efforts to secure their software.

The list is the result of collaboration between the SANS Institute, MITRE, and many top software security experts in the US and Europe. MITRE maintains the CWE web site, with the support of the US Department of Homeland Security’s National Cyber Security Division, presenting detailed descriptions of the top 25 programming errors along with authoritative guidance for mitigating and avoiding them. The CWE site contains data on more than 800 programming errors, design errors, and architecture errors that can lead to exploitable vulnerabilities.

This year’s Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence, importance, and likelihood of exploit. It uses the Common Weakness Scoring System (CWSS) to score and rank the final results. The Top 25 list covers a small set of the most effective “Monster Mitigations,” which help developers to reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the hundreds of weaknesses that are documented by CWE.

  1. Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  2. Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  3. Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  4. Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  5. Missing Authentication for Critical Function
  6. Missing Authorization
  7. Use of Hard-coded Credentials
  8. Missing Encryption of Sensitive Data
  9. Unrestricted Upload of File with Dangerous Type
  10. Reliance on Untrusted Inputs in a Security Decision
  11. Execution with Unnecessary Privileges
  12. Cross-Site Request Forgery (CSRF)
  13. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  14. Download of Code Without Integrity Check
  15. Incorrect Authorization
  16. Inclusion of Functionality from Untrusted Control Sphere
  17. Incorrect Permission Assignment for Critical Resource
  18. Use of Potentially Dangerous Function
  19. Use of a Broken or Risky Cryptographic Algorithm
  20. Incorrect Calculation of Buffer Size
  21. Improper Restriction of Excessive Authentication Attempts
  22. URL Redirection to Untrusted Site (‘Open Redirect’)
  23. Uncontrolled Format String
  24. Integer Overflow or Wraparound
  25. Use of a One-Way Hash without a Salt

Check out the CWE Top25 List website for more information.


Be the first to comment

Leave a Reply