Skip to main content

SANS 25

logo

Summary

CWE/SANS TOP 25 Most Dangerous Software Errors is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. It presents detailed descriptions of the top 25 software errors along with authoritative guidance for mitigating and avoiding them. The version used in this section is CWE Top 25 2020.

Definitions

DefinitionRequirements
20. Improper input validation164. Use optimized structures
173. Discard unsafe inputs
342. Validate request parameters
22. Improper limitation of a pathname to a restricted directory (path traversal)037. Parameters without sensitive data
280. Restrict service root directory
381. Use of absolute paths
78. Improper neutralization of special elements used in an OS command (OS command injection)173. Discard unsafe inputs
79. Improper neutralization of input during web page generation (cross-site scripting)160. Encode system outputs
173. Discard unsafe inputs
89. Improper neutralization of special elements used in an SQL command (SQL injection)157. Use the strict mode
158. Use a secure programming language
169. Use parameterized queries
173. Discard unsafe inputs
94. Improper control of generation of code (code injection)050. Control calls to interpreted code
155. Application free of malicious code
159. Obfuscate code
164. Use optimized structures
173. Discard unsafe inputs
119. Improper restriction of operations within the bounds of a memory buffer157. Use the strict mode
158. Use a secure programming language
164. Use optimized structures
173. Discard unsafe inputs
345. Establish protections against overflows
125. Out-of-bounds read157. Use the strict mode
158. Use a secure programming language
342. Validate request parameters
345. Establish protections against overflows
190. Integer overflow or wraparound345. Establish protections against overflows
200. Information exposure032. Avoid session ID leakages
080. Prevent log modification
119. Hide recipients
180. Use mock data
181. Transmit data using secure protocols
184. Obfuscate application data
261. Avoid exposing sensitive information
375. Remove sensitive data from client-side applications
269. Improper privilege management035. Manage privilege modifications
186. Use the principle of least privilege
265. Restrict access to critical processes
287. Improper authentication030. Avoid object reutilization
096. Set user's required privileges
122. Validate credential ownership
140. Define OTP lifespan
153. Out of band transactions
227. Display access notification
232. Require equipment identity
237. Ascertain human interaction
264. Request authentication
319. Make authentication options equally secure
335. Define out of band token lifespan
347. Invalidate previous OTPs
362. Assign MFA mechanisms to a single account
295. Improper certificate validation089. Limit validity of certificates
091. Use internally signed certificates
093. Use consistent certificates
364. Provide extended validation (EV) certificates
352. Cross-site request forgery (CSRF)029. Cookies with security attributes
174. Transactions without a distinguishable pattern
349. Include HTTP security headers
400. Uncontrolled resource consumption039. Define maximum file size
072. Set maximum response time
416. Use after free-
426. Untrusted search path046. Manage the integrity of critical files
224. Use secure cryptographic mechanisms
265. Restrict access to critical processes
434. Unrestricted upload of file with dangerous type040. Compare file format and extension
041. Scan files for malicious code
476. NULL pointer dereference345. Establish protections against overflows
366. Associate type to variables
381. Use of absolute paths
502. Deserialization of untrusted data321. Avoid deserializing untrusted data
611. Improper restriction of XML external entity reference157. Use the strict mode
173. Discard unsafe inputs
732. Incorrect permission assignment for critical resource046. Manage the integrity of critical files
088. Request client certificates
232. Require equipment identity
364. Provide extended validation (EV) certificates
772. Missing release of resource after effective lifetime-
787. Out-of-bounds write157. Use the strict mode
158. Use a secure programming language
345. Establish protections against overflows
798. Use of hard-coded credentials127. Store hashed passwords
145. Protect system cryptographic keys
146. Remove cryptographic keys from RAM
181. Transmit data using secure protocols
206. Configure communication protocols
224. Use secure cryptographic mechanisms
228. Authenticate using standard protocols
229. Request access credentials
264. Request authentication
351. Assign unique keys to each device