SANS has produced the list of top 25 software errors:
Insecure Interaction Between Components
| CWE ID | Name |
|---|---|
| CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| CWE-434 | Unrestricted Upload of File with Dangerous Type |
| CWE-352 | Cross-Site Request Forgery (CSRF) |
| CWE-601 | URL Redirection to Untrusted Site (‘Open Redirect’) |
Risky Resource Management
| CWE ID | Name |
|---|---|
| CWE-120 | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) |
| CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| CWE-494 | Download of Code Without Integrity Check |
| CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
| CWE-676 | Use of Potentially Dangerous Function |
| CWE-131 | Incorrect Calculation of Buffer Size |
| CWE-134 | Uncontrolled Format String |
| CWE-190 | Integer Overflow or Wraparound |
Porous Defenses
| CWE ID | Name |
|---|---|
| CWE-306 | Missing Authentication for Critical Function |
| CWE-862 | Missing Authorization |
| CWE-798 | Use of Hard-coded Credentials |
| CWE-311 | Missing Encryption of Sensitive Data |
| CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
| CWE-250 | Execution with Unnecessary Privileges |
| CWE-863 | Incorrect Authorization |
| CWE-732 | Incorrect Permission Assignment for Critical Resource |
| CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| CWE-307 | Improper Restriction of Excessive Authentication Attempts |
| CWE-759 | Use of a One-Way Hash without a Salt |