What Errors Are Included in the Top 25 Software Errors?
Click on the CWE ID in any of the listings and you will be directed to the relevant spot in the MITRE CWE site where you will find the following:
- Ranking of each Top 25 entry,
- Links to the full CWE entry data,
- Data fields for weakness prevalence and consequences,
- Remediation cost,
- Ease of detection,
- Code examples,
- Detection Methods,
- Attack frequency and attacker awareness
- Related CWE entries, and
- Related patterns of attack for this weakness.
Each entry at the Top 25 Software Errors site also includes fairly extensive prevention and remediation steps that developers can take to mitigate or eliminate the weakness.
The CWE Top 25
|1||CWE-119||Improper Restriction of Operations within the Bounds of a Memory Buffer|
|2||CWE-79||Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')|
|3||CWE-20||Improper Input Validation|
|6||CWE-89||Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')|
|7||CWE-416||Use After Free|
|8||CWE-190||Integer Overflow or Wraparound|
|9||CWE-352||Cross-Site Request Forgery (CSRF)|
|10||CWE-22||Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')|
|11||CWE-78||Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')|
|14||CWE-476||NULL Pointer Dereference|
|15||CWE-732||Incorrect Permission Assignment for Critical Resource|
|16||CWE-434||Unrestricted Upload of File with Dangerous Type|
|17||CWE-611||Improper Restriction of XML External Entity Reference|
|18||CWE-94||Improper Control of Generation of Code ('Code Injection')|
|19||CWE-798||Use of Hard-coded Credentials|
|20||CWE-400||Uncontrolled Resource Consumption|
|21||CWE-772||Missing Release of Resource after Effective Lifetime|
|22||CWE-426||Untrusted Search Path|
|23||CWE-502||Deserialization of Untrusted Data|
|24||CWE-269||Improper Privilege Management|
|25||CWE-295||Improper Certificate Validation|
Resources to Help Eliminate The Top 25 Software Errors
- SANS Application Security Courses
The SANS application security curriculum seeks to ingrain security into the minds of every developer in the world by providing world-class educational resources to design, develop, procure, deploy, and manage secure software. The application security faculty are real-world practitioners with decades of application security experience. The concepts covered in our courses will be applicable to your software security program the day you return to work:
- SEC522: Defending Web Applications Security Essentials
- SEC534: Secure DevOps: A Practical Introduction
- SEC540: Secure DevOps & Cloud Application Security
SANS maintains an Application Security CyberTalent Assessment that measures secure coding skills and allow programmers to determine gaps in their knowledge of secure coding and allows buyers to ensure outsourced programmers have sufficient programming skills. Organizations can learn more at https://www.sans.org/cybertalent/assessment-detail?msc=top25hp#appsec.
Developer Security Awareness Training
The SANS Security Awareness Developer product provides pinpoint software security awareness training on demand, all from the comfort of your desk. Application security awareness training includes over 30+ modules averaging 7-10 minutes in length to maximize learner engagement and retention. The modules cover the full breadth and depth of topics for PCI Section 6.5 compliance and the items that are important for secure software development.
- The TOP 25 Errors List will be updated regularly and will be posted at both the SANS and MITRE sites
CWE Top 25 Software Errors Site
MITRE maintains the CWE (Common Weakness Enumeration) web site, with the support of the US Department of Homeland Security's National Cyber Security Division, presenting detailed descriptions of the top 25 Software errors along with authoritative guidance for mitigating and avoiding them. That site also contains data on more than 700 additional Software errors, design errors and architecture errors that can lead to exploitable vulnerabilities. CWE Web Site
- SAFECode - The Software Assurance Forum for
Excellence in Code (members include EMC, Juniper, Microsoft, Nokia, SAP
and Symantec) has produced two excellent publications outlining industry
best practices for software assurance and providing practical advice
for implementing proven methods for secure software development.
Fundamental Practices for Secure Software Development 3rd Edition
Overview of Software Integrity Controls
Framework for Software Supply Chain Integrity
Fundamental Practices for Secure Software Development
Software Assurance: An Overview of Current Industry Best Practices
- Software Assurance Community Resources Site and DHS web sites
As part of DHS risk mitigation efforts to enable greater resilience of cyber assets, the Software Assurance Program seeks to reduce software vulnerabilities, minimize exploitation, and address ways to routinely acquire, develop and deploy reliable and trustworthy software products with predictable execution, and to improve diagnostic capabilities to analyze systems for exploitable weaknesses.
- Nearly a dozen software companies offer automated tools that test programs for these errors.
How Important Are the Top 25 Software Errors?
Contributors to the "CWE/SANS Top 25 Most Dangerous Software Errors":
- Mark J. Cox, Red Hat Inc.
- Carsten Eiram, Secunia (Denmark)
- Pascal Meunier, CERIAS, Purdue University
- Razak Ellafi & Olivier Bonsignour, CAST Software
- David Maxwell, NetBSD
- Cassio Goldschmidt & Mahesh Saptarshi, Symantec Corporation
- Chris Eng, Veracode, Inc.
- Paul Anderson, Grammatech Inc.
- Masato Terada, Information-Technology Promotion Agency (IPA) (Japan)
- Bernie Wong, IBM
- Dennis Seymour, Ellumen, Inc.
- Kent Landfield, McAfee
- Hart Rossman, SAIC
- Jeremy Epstein, SRI International
- Matt Bishop, UC Davis
- Adam Hahn & Sean Barnum, MITRE
- Jeremiah Grossman, White Hat Security
- Kenneth van Wyk, KRvW Associates
- Bruce Lowenthal, Oracle Corporation
- Jacob West, Fortify Software, an HP Company
- Frank Kim, ThinkSec
- Christian Heinrich, (Australia)
- Ketan Vyas, Tata Consultancy Services (TCS)
- Joe Baum, Motorola Solutions
- Matthew Coles, Aaron Katz & Nazira Omuralieva, RSA, the Security Division of EMC
- National Security Agency (NSA) Information Assurance Division
- Department of Homeland Security (DHS) National Cyber Security Division
The following individuals and organizations aided in the development of the Top 25 through their input to the CWSS/CWRAF
CWSS / CWRAF
- Bruce Lowenthal, Oracle
- Damir (Gaus) Rajnovic, Cisco
- Stephen Chasko
- Chris Eng and Chris Wysopal, Veracode
- Casper Jones
- Edward Luck and Martin Tan, Dimension Data (Australia)
- James Jardine, Jardine Software
- Jon Zucker, Cenzic
- Jason Liu, Northrop Grumman
- Ory Segal, IBM
- Mahi Dontamsetti, DTCC
- Hart Rossman, SAIC
Version 3.0 Updated June 27, 2011