SANS 25

Summary

CWE/SANS TOP 25 Most Dangerous Software Errors is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. It presents detailed descriptions of the top 25 software errors along with authoritative guidance for mitigating and avoiding them. The version used in this section is CWE Top 25 2020.

Definitions

Definition	Requirements
1. Out-of-bounds Write	157. Use the strict mode 158. Use a secure programming language 345. Establish protections against overflows
2. Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')	160. Encode system outputs 173. Discard unsafe inputs
3. Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')	157. Use the strict mode 158. Use a secure programming language 169. Use parameterized queries 173. Discard unsafe inputs
4. Improper Input Validation	164. Use optimized structures 173. Discard unsafe inputs 342. Validate request parameters
5. Out-of-bounds Read	157. Use the strict mode 158. Use a secure programming language 342. Validate request parameters 345. Establish protections against overflows
6. Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')	173. Discard unsafe inputs
7. Use After Free	157. Use the strict mode 158. Use a secure programming language 266. Disable insecure functionalities
8. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	280. Restrict service root directory 381. Use of absolute paths
9. Cross-Site Request Forgery (CSRF)	029. Cookies with security attributes 174. Transactions without a distinguishable pattern 349. Include HTTP security headers
10. Unrestricted Upload of File with Dangerous Type	040. Compare file format and extension 041. Scan files for malicious code
11. NULL Pointer Dereference	345. Establish protections against overflows 366. Associate type to variables 381. Use of absolute paths
12. Deserialization of Untrusted Data	321. Avoid deserializing untrusted data
13. Integer Overflow or Wraparound	345. Establish protections against overflows
14. Improper Authentication	030. Avoid object reutilization 096. Set user's required privileges 122. Validate credential ownership 140. Define OTP lifespan 153. Out of band transactions 227. Display access notification 232. Require equipment identity 237. Ascertain human interaction 264. Request authentication 319. Make authentication options equally secure 335. Define out of band token lifespan 347. Invalidate previous OTPs 362. Assign MFA mechanisms to a single account
15. Use of Hard-coded Credentials	127. Store hashed passwords 145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 181. Transmit data using secure protocols 206. Configure communication protocols 224. Use secure cryptographic mechanisms 228. Authenticate using standard protocols 229. Request access credentials 264. Request authentication 351. Assign unique keys to each device
16. Missing Authorization	033. Restrict administrative access 034. Manage user accounts 035. Manage privilege modifications 341. Use the principle of deny by default
17. Improper Neutralization of Special Elements used in a Command ('Command Injection')	173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities 342. Validate request parameters
18. Missing Authentication for Critical Function	033. Restrict administrative access 228. Authenticate using standard protocols 229. Request access credentials 264. Request authentication 328. Request MFA for critical systems
19. Improper Restriction of Operations within the Bounds of a Memory Buffer	157. Use the strict mode 158. Use a secure programming language 164. Use optimized structures 173. Discard unsafe inputs 345. Establish protections against overflows
20. Incorrect Default Permissions	161. Define secure default options
21. Server-Side Request Forgery (SSRF)	173. Discard unsafe inputs 324. Control redirects 348. Use consistent encoding
22. Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')	037. Parameters without sensitive data 337. Make critical logic flows thread safe
23. Uncontrolled Resource Consumption	039. Define maximum file size 072. Set maximum response time
24. Improper Restriction of XML External Entity Reference	157. Use the strict mode 173. Discard unsafe inputs
25. Improper Control of Generation of Code ('Code Injection')	050. Control calls to interpreted code 155. Application free of malicious code 159. Obfuscate code 164. Use optimized structures 173. Discard unsafe inputs

free trial

Search for vulnerabilities in your apps for free with our automated security testing! Start your 21-day free trial and discover the benefits of our Continuous Hacking Machine Plan. If you prefer a full service that includes the expertise of our ethical hackers, don't hesitate to contact us for our Continuous Hacking Squad Plan.