Take New Survey on Insider Threats for Chance to Win $400 Amazon Card

CWE/SANS TOP 25 Most Dangerous Software Errors

What Errors Are Included in the Top 25 Software Errors?

Version 2.0 Updated February 16, 2010

The Top 25 Software Errors are listed below in three categories:

Click on the headline in any of the listings (or the MORE link) and you will be directed to the relevant spot in the MITRE CWE site where you will find the following:

  • Ranking of each Top 25 entry,
  • Links to the full CWE entry data,
  • Data fields for weakness prevalence and consequences,
  • Remediation cost,
  • Ease of detection,
  • Code examples,
  • Detection Methods,
  • Attack frequency and attacker awareness
  • Related CWE entries, and
  • Related patterns of attack for this weakness.

Each entry at the Top 25 Software Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.

View Press Release concerning the 2010 Updates

Archive

Software Error Category: Insecure Interaction Between Components

[1] CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')

Cross-site scripting (XSS) is one of the most prevalent, obstinate, and dangerous vulnerabilities in web applications...If you're not careful, attackers can...MORE >>

[2] CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')

If attackers can influence the SQL that you use to communicate with your database, then they can...MORE >>

[4] CWE-352: Cross-Site Request Forgery (CSRF)

With cross-site request forgery, the attacker gets the victim to activate a request that goes to your site. Thanks to scripting and the way the web works in general, the victim...MORE >>

[8] CWE-434: Unrestricted Upload of File with Dangerous Type

You may think you're allowing uploads of innocent images...MORE >>

[9] CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')

When you invoke another program on the operating system, but you allow untrusted inputs to be fed into the command string that you generate for executing the program, then you are inviting attackers...MORE >>

[17] CWE-209: Information Exposure Through an Error Message

If you use chatty error messages, then they could disclose secrets to any attacker who dares to misuse your software. The secrets could cover a wide range of valuable data...MORE >>

[23] CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

While much of the power of the World Wide Web is in sharing and following links between web sites, typically there is...MORE >>

[25] CWE-362: Race Condition

Attackers will consciously look to exploit race conditions to cause chaos or get your application to cough up something valuable...MORE >>

Software Error Category: Risky Resource Management

[3] CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

Buffer overflows are Mother Nature's little reminder of that law of physics that says if you try to put more stuff into a container than it can hold, you're...MORE >>

[7] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

While data is often exchanged using files, sometimes you don't intend to...MORE >>

[14] CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

Not a lot of Top 25 weaknesses are unique to a single programming language, but that just goes to show how special this one is. The idea...MORE >>

[12] CWE-805: Buffer Access with Incorrect Length Value

A popular insult is: "Take a long walk off a short pier." One programming equivalent for this... MORE >>

[13] CWE-754: Improper Check for Unusual or Exceptional Conditions

Security-wise, it pays to be cynical. If you always expect the worst...MORE >>

[15] CWE-129: Improper Validation of Array Index

If you've allocated an array of 100 objects or structures, and an attacker provides an index that is...MORE >>

[16] CWE-190: Integer Overflow or Wraparound

In the real world, 255+1=256. But to a computer program, sometimes 255+1=...MORE >>

[18] CWE-131: Incorrect Calculation of Buffer Size

In languages such as C, where memory management is the programmer's responsibility, there are many opportunities for error...MORE >>

[20] CWE-494: Download of Code Without Integrity Check

You don't need to be a guru to realize that if you download code and execute it, you're trusting that the source of that code isn't malicious. But attackers can perform all sorts of tricks...MORE >>

[21] CWE-770: Allocation of Resources Without Limits or Throttling

If someone calls in and places an order for a thousand pizzas (with anchovies) to be delivered immediately, you'd quickly put a stop to that nonsense. But...MORE >>

Software Error Category: Porous Defenses

[5] CWE-285: Improper Access Control (Authorization)

If you don't ensure that your software's users are only doing what they're allowed to, then attackers will try to exploit your improper authorization and...MORE >>

[6] CWE-807: Reliance on Untrusted Inputs in a Security Decision

Driver's licenses may require close scrutiny to identify fake licenses, or to determine if a person is using someone else's license. Software developers...MORE >>

[10] CWE-311: Missing Encryption of Sensitive Data

If your software sends sensitive information across a network, such as private data or authentication credentials, that information...MORE >>

[11] CWE-798: Use of Hard-coded Credentials

Most of the CWE Top 25 can be explained away as an honest mistake; for this issue, though, customers...MORE >>

[19] CWE-306: Missing Authentication for Critical Function

In countless action movies, the villain breaks into a high-security building by crawling through heating ducts...MORE >>

[22] CWE-732: Incorrect Permission Assignment for Critical Resource

If you have critical programs, data stores, or configuration files with permissions that make your resources accessible to the world - well, that's just what they'll become...MORE >>

[24] CWE-327: Use of a Broken or Risky Cryptographic Algorithm

You may be tempted to develop your own encryption scheme in the hopes of making it difficult for attackers to crack. This kind of grow-your-own cryptography is a welcome sight to attackers...MORE >>

Resources to Help Eliminate The Top 25 Software Errors

  1. The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites
    SANS Top 25 Software Errors Site
    CWE Top 25 Software Errors Site

    MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 Software errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional Software errors, design errors and architecture errors that can lead to exploitable vulnerabilities. CWE Web Site

    SANS maintains a series of assessments of secure coding skills in three languages along with certification exams that allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations with more than 500 programmers can assess the secure coding skills of up to 100 programmers at no cost.

    Email spa@sans.org for details. And see The SANS Software Security Institute Certification Page for the GSSP Blueprints.

  2. SAFECode - The Software Assurance Forum for Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP and Symantec) has produced two excellent publications outlining industry best practices for software assurance and providing practical advice for implementing proven methods for secure software development.
    SAFECode Best Practices PDF
    SAFECode Development Practices PDF

  3. Software Assurance Community Resources Site and DHS web sites

    As part of DHS risk mitigation efforts to enable greater resilience of cyber assets, the Software Assurance Program seeks to reduce software vulnerabilities, minimize exploitation, and address ways to routinely acquire, develop and deploy reliable and trustworthy software products with predictable execution, and to improve diagnostic capabilities to analyze systems for exploitable weaknesses.

  4. Nearly a dozen software companies offer automated tools that test programs for these errors. SANS maintains case studies of user experience with these and other security tools at:
    SANS What Works in Internet Security.

  5. New York State has produced draft procurement standards to allow companies to buy software with security baked in.

    If you wish to join the working group to help improve the procurement guidelines you can go to the New York State Cyber Security and Critical Infrastructure Coordination web site.

    Draft New York State procurement language will be posted at SANS Application Security Contract.

  6. For additional information on any of these:
    SANS: Mason Brown, mbrown@sans.org
    MITRE: Bob Martin, ramartin@mitre.org
    MITRE: Steve Christey, coley@mitre.org

List of Contributors to the Top 25 Software Errors

  • Robert Auger, Web Application Security Consortium (WASC)
  • Michael Howard and Bryan Sullivan, Microsoft
  • Mark J. Cox, Red Hat Inc.
  • Carsten Eiram, Secunia (Denmark)
  • Chuck Willis, MANDIANT
  • James Walden, Northern Kentucky University
  • Pascal Meunier, CERIAS, Purdue University
  • Romain Gaucher, Cigital, Inc.
  • Mahesh Saptarshi and Cassio Goldschmidt, Symantec Corporation
  • Chris Eng and Chris Wysopal, Veracode, Inc.
  • Ming-Wei (Benson) Wu, Armorize
  • Paul Anderson, Grammatech Inc.
  • Masato Terada, Information-Technology Promotion Agency (IPA) (Japan)
  • Barry Greene, Juniper
  • Kent Landfield, McAfee
  • Hart Rossman, SAIC
  • Jeremiah Grossman, White Hat Security
  • Jeremy Epstein, SRI International
  • Adam Hahn, Drew Buttner, Larry Shields, and Sean Barnum, MITRE
  • Jeff Williams, Aspect Security and the Open Web Application Security Project (OWASP)
  • Kenneth van Wyk, KRvW Associates
  • Bruce Lowenthal, Oracle Corporation
  • Jacob West, Fortify Software
  • Frank Kim, ThinkSec
  • Ryan Barnett, Breach Security
  • Elizabeth Nichols, PlexLogic, LLC
  • Antonio Fontes, New Access SA, (Switzerland)
  • Cristina Cifuentes and John Totah, Sun
  • Ketan Vyas, Tata Consultancy Services (TCS)
  • Paul Wilson, Lindsey Cheng, Jeehye Yun, Tom Burgess, and Jim Kukla, Secured Sciences Group, LLC
  • Matthew Coles, Danny Dhillon, Hardik Parekh, and Nazira Omuralieva, RSA - Security Division of EMC
  • Apple Product Security
  • National Security Agency (NSA) Information Assurance Division
  • Department of Homeland Security (DHS) National Cyber Security Division

How Important Are the Top 25 Software Errors?

We asked several of the participants why they thought this effort was important enough to merit a significant amount of their time and expertise. Here are a few of their answers. More are at the end of the announcement.

"Just wanted to commend the depth of the CWE/SANS Top 25. The code examples are particularly excellent. I have asked all my developers to read one of these each day for the next 25 days. I'm taking my own advice as well, and even though I'm still reading some of the "easy" ones (like SQL injection), I still find that I am learning new things about old topics."

-- Mark E. Haase, OpenFISMA Project Manager, Endeavor Systems, Inc.

"Your document (2009 CWE/SANS Top 25 Most Dangerous Software Errors) is very useful. I would like to publish it on our intranet, for illustrating threats and vulnerabilities about coding."

-- colonel Jean-Michel HOUBRE, from the french MOD.

"We included the top25 reference in a request for bid last year. Project began in December and expect the project to be complete in October 2010. We are hopeful to have a much more secure and better application due to the reference and utilization of the SANS/MITRE Top 25."

-- Richard Lemons, WV Department of Health and Human Resources

"In the collaborated environment and ever increasing business requirements to integrate solutions, insecure applications are an easy target. The business today understands how much damage can be cause to business, revenue and customer confidence due to these issues. To ensure that our deliveries meet / surpass customer expectations on security, the CWE/SANS Top 25 Most Dangerous Software Errors is extensively leveraged in our software security assurance process."

-- Ketan Vyas, Head Application Security Initiative, Tata Consultancy Services

"I've read "2009 CWE/SANS Top 25 Most Dangerous Software Errors" article and found it very useful. I would like to translate it into Russian for our software testing community. Of course, link to original article will be stored."

-- Alexander Kozyrev

"The Top 25 provides much needed guidance for software developers focusing on eliminating software security defects in their products. If you're involved with software development at your organization and are looking to improve your product security posture, you need to read this."

-- Robert Auger, Co Founder of The Web Application Security Consortium

"The CWE/SANS Top 25 list provides a great starting point for developers who want to write more secure code. The majority of the flaw types of the most severe vulnerabilities that Red Hat fixed in 2009 are discussed in this document."

-- Mark J. Cox, Director, Security Response, Red Hat.

"The 2010 CWE/SANS Top 25 Software Errors provides valuable guidance to organizations engaged in the development or deployment of software. This list helps organizations focus on the most dangerous threats so that they can get the most out of their vulnerability reduction effort. The list can also be used as a framework to define short term and longer term programs for the elimination or mitigation of security vulnerabilities. Furthermore, it provides easy to comprehend description of the classes of vulnerabilities and high-level recommendations for mitigating or avoiding them altogether. This list is definitely a must-read for anyone who wishes to develop reasonably secure code."

-- Bruce Lowenthal, Director Security Alert, Oracle Corp.

"It's great to see the CWE/SANS Top 25 list continue to be maintained and mature. Relentlessly spreading the word about the most common security defects in programming is a vital need. The state of security in our software would without a doubt be much improved if everyone who touches software development reads and thoroughly understands this. Kudos."

-- Kenneth R. van Wyk, KRvW Associates, LLC