SANS 25

Summary

CWE/SANS TOP 25 Most Dangerous Software Errors is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. It presents detailed descriptions of the top 25 software errors along with authoritative guidance for mitigating and avoiding them. The version used in this section is CWE Top 25 2020.

Definitions

Definition	Requirements
1. Out-of-bounds Write	157. Use the strict mode 345. Establish protections against overflows
2. Improper neutralization of input during web page generation (cross-site scripting)	029. Cookies with security attributes 160. Encode system outputs 173. Discard unsafe inputs
3. Improper neutralization of special elements used in an SQL command (SQL injection)	029. Cookies with security attributes 157. Use the strict mode 169. Use parameterized queries 173. Discard unsafe inputs
4. User after free	157. Use the strict mode 158. Use a secure programming language 266. Disable insecure functionalities
5. Improper neutralization of special elements used in an OS command (OS command injection)	158. Use a secure programming language 173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities 342. Validate request parameters
6. Improper input validation	164. Use optimized structures 173. Discard unsafe inputs 342. Validate request parameters
7. Out-of-bounds read	157. Use the strict mode 158. Use a secure programming language 345. Establish protections against overflows
8. Improper limitation of a pathname to a restricted directory (path traversal)	173. Discard unsafe inputs 280. Restrict service root directory 320. Avoid client-side control enforcement 342. Validate request parameters 381. Use of absolute paths
9. Cross-site request forgery (CSRF)	029. Cookies with security attributes 174. Transactions without a distinguishable pattern 349. Include HTTP security headers
10. Unrestricted upload of file with dangerous type	039. Define maximum file size 040. Compare file format and extension 041. Scan files for malicious code
11. Missing authorization	034. Manage user accounts 035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges 341. Use the principle of deny by default
12. NULL pointer dereference	161. Define secure default options 266. Disable insecure functionalities 345. Establish protections against overflows 359. Avoid using generic exceptions 366. Associate type to variables 381. Use of absolute paths
13. Improper authentication	030. Avoid object reutilization 114. Deny access with inactive credentials 122. Validate credential ownership 130. Limit password lifespan 138. Define lifespan for temporary passwords 140. Define OTP lifespan 153. Out of band transactions 227. Display access notification 229. Request access credentials 232. Require equipment identity 237. Ascertain human interaction 264. Request authentication 319. Make authentication options equally secure 335. Define out of band token lifespan 347. Invalidate previous OTPs 362. Assign MFA mechanisms to a single account
14. Integer overflow or wraparound	345. Establish protections against overflows
15. Deserialization of untrusted data	229. Request access credentials 321. Avoid deserializing untrusted data
16. Improper neutralization of special elements used in a command (command injection)	172. Encrypt connection strings 173. Discard unsafe inputs 265. Restrict access to critical processes 344. Avoid dynamic code execution
17. Improper restriction of operations within the bounds of a memory buffer	157. Use the strict mode 158. Use a secure programming language 164. Use optimized structures 266. Disable insecure functionalities 345. Establish protections against overflows
18. Use of hard-coded credentials	126. Set a password regeneration mechanism 127. Store hashed passwords 134. Store passwords with salt 145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 181. Transmit data using secure protocols 185. Encrypt sensitive information 206. Configure communication protocols 224. Use secure cryptographic mechanisms 264. Request authentication 321. Avoid deserializing untrusted data 351. Assign unique keys to each device
19. Server-side request forgery (SSRF)	173. Discard unsafe inputs 324. Control redirects 348. Use consistent encoding
20. Missing authentication for critical function	229. Request access credentials 264. Request authentication 265. Restrict access to critical processes 328. Request MFA for critical systems
21. Concurrent execution using shared resource with improper synchronization (Race condition)	037. Parameters without sensitive data 264. Request authentication 337. Make critical logic flows thread safe
22. Improper Privilege Management	033. Restrict administrative access 095. Define users with privileges 096. Set user's required privileges 176. Restrict system objects 228. Authenticate using standard protocols
23. Improper Control of Generation of Code ('Code Injection')	050. Control calls to interpreted code 155. Application free of malicious code 159. Obfuscate code 164. Use optimized structures 173. Discard unsafe inputs
24. Incorrect Authorization	033. Restrict administrative access 095. Define users with privileges 096. Set user's required privileges 176. Restrict system objects 228. Authenticate using standard protocols
25. Incorrect Default Permissions	142. Change system default credentials 161. Define secure default options

free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.