CWE/SANS TOP 25 Most Dangerous Software Errors

The Top 25 Software Errors are listed below in three categories:

• Software Error Category: Insecure Interaction Between Components (6 errors)
• Software Error Category: Risky Resource Management (8 errors)
• Software Error Category: Porous Defenses (11 errors)

The New 25 Most Dangerous Programming Errors

The Scoring System

The Risk Management System

Click on the CWE ID in any of the listings and you will be directed to the relevant spot in the MITRE CWE site where you will find the following:

• Ranking of each Top 25 entry,
• Links to the full CWE entry data,
• Data fields for weakness prevalence and consequences,
• Remediation cost,
• Ease of detection,
• Code examples,
• Detection Methods,
• Attack frequency and attacker awareness
• Related CWE entries, and
• Related patterns of attack for this weakness.

Each entry at the Top 25 Software Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.

Archive

• View the Top 25 Software Errors for 2010 Here
• View the Top 25 Software Errors for 2009 Here

Insecure Interaction Between Components

These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.

CWE ID	Name
CWE-89	Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
CWE-78	Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
CWE-79	Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
CWE-434	Unrestricted Upload of File with Dangerous Type
CWE-352	Cross-Site Request Forgery (CSRF)
CWE-601	URL Redirection to Untrusted Site (‘Open Redirect’)

Risky Resource Management

The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

CWE ID	Name
CWE-120	Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
CWE-22	Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
CWE-494	Download of Code Without Integrity Check
CWE-829	Inclusion of Functionality from Untrusted Control Sphere
CWE-676	Use of Potentially Dangerous Function
CWE-131	Incorrect Calculation of Buffer Size
CWE-134	Uncontrolled Format String
CWE-190	Integer Overflow or Wraparound

Porous Defenses

The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.

CWE ID	Name
CWE-306	Missing Authentication for Critical Function
CWE-862	Missing Authorization
CWE-798	Use of Hard-coded Credentials
CWE-311	Missing Encryption of Sensitive Data
CWE-807	Reliance on Untrusted Inputs in a Security Decision
CWE-250	Execution with Unnecessary Privileges
CWE-863	Incorrect Authorization
CWE-732	Incorrect Permission Assignment for Critical Resource
CWE-327	Use of a Broken or Risky Cryptographic Algorithm
CWE-307	Improper Restriction of Excessive Authentication Attempts
CWE-759	Use of a One-Way Hash without a Salt

Resources to Help Eliminate The Top 25 Software Errors

1. The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites
   SANS Top 25 Software Errors Site
   CWE Top 25 Software Errors Site

   MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security’s National Cyber Security Division, presenting detailed descriptions of the top 25 Software errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional Software errors, design errors and architecture errors that can lead to exploitable vulnerabilities. CWE Web Site

   SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.

   Email spa@sans.org for details.

2. SAFECode – The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.

   Fundamental Practices for Secure Software Development 2nd Edition
   http://www.safecode.org/publications/SAFECode_Dev_Practices0211.pdf

   Overview of Software Integrity Controls
   http://www.safecode.org/publications/SAFECode_Software_Integrity_Controls0610.pdf

   Framework for Software Supply Chain Integrity
   http://www.safecode.org/publications/SAFECode_Supply_Chain0709.pdf

   Fundamental Practices for Secure Software Development
   http://www.safecode.org/publications/SAFECode_Dev_Practices1108.pdf

   Software Assurance: An Overview of Current Industry Best Practices
   http://www.safecode.org/publications/SAFECode_BestPractices0208.pdf

3. Software Assurance Community Resources Site and DHS web sitesAs part of DHS risk mitigation efforts to enable greater resilience of cyber assets, the Software Assurance Program seeks to reduce software vulnerabilities, minimize exploitation, and address ways to routinely acquire, develop and deploy reliable and trustworthy software products with predictable execution, and to improve diagnostic capabilities to analyze systems for exploitable weaknesses.
4. Nearly a dozen software companies offer automated tools that test programs for these errors.
5. New York State has produced draft procurement standards to allow companies to buy software with security baked in.

   If you wish to join the working group to help improve the procurement guidelines you can go to the New York State Cyber Security and Critical Infrastructure Coordination web site.

   Draft New York State procurement language will be posted at SANS Application Security Contract.

For additional information on any of these:
SANS: Mason Brown, mbrown@sans.org
MITRE: Bob Martin, ramartin@mitre.org
MITRE: Steve Christey, coley@mitre.org