CWE/SANS TOP 25

Veracode CWE Support

Download the list of CWEs Veracode tests for. This list reflects the CWEs that Veracode tests for using automated static and dynamic scanning. The Veracode platform may report flaws in other CWEs if the results of a manual penetration test are included alongside the scan results. Where a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case (e.g. CWE 80 is preferred for cross-site scripting over its child CWEs). This list is updated frequently.

VERAFIED Security Mark for the CWE/SANS TOP 25

The 2011 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant errors that can lead to serious software vulnerabilities. The errors on this list occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

Although the Veracode Platform detects hundreds of software security flaws, we provide a razor focus on finding the problems that are “worth fixing”. The CWE/SANS Top 25 is a list of flaws so prevalent and severe that no non-web applications should be delivered to customers without some evidence that the software does not contain these errors.

The following table identifies technical flaws found through automated analysis used to achieve the VERAFIED security mark and the additional coverage provided through manual penetration testing to detect business logic and design errors to achieve the VERAFIED HIGH ASSURANCE security mark for the 2011 CWE/SANS Top 25.

Rank
ID
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
 
 
1 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
X
X
2 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
X
X
4 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
X
X
9 CWE-434 Unrestricted Upload of File with Dangerous Type
X
X
12 CWE-352 Cross-Site Request Forgery (CSRF)
 
X
22 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
X
X
Rank
ID
Risky Resource Management
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
 
 
3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
X
X
13 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
X
X
14 CWE-494 Download of Code Without Integrity Check
X
X
16 CWE-829 Inclusion of Functionality from Untrusted Control Sphere
X
X
18 CWE-676 Use of Potentially Dangerous Function
X
X
20 CWE-131 Incorrect Calculation of Buffer Size
X
X
23 CWE-134 Uncontrolled Format String
X
X
24 CWE-190 Integer Overflow or Wraparound
X
X
Rank
ID
Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
 
 
5 CWE-306 Missing Authentication for Critical Function
 
X
6 CWE-862 Missing Authorization
 
X
7 CWE-798 Use of Hard-coded Credentials
X
X
8 CWE-311 Missing Encryption of Sensitive Data
X
X
10 CWE-807 Reliance on Untrusted Inputs in a Security Decision
 
X
11 CWE-250 Execution with Unnecessary Privileges
 
X
15 CWE-863 Incorrect Authorization
 
X
17 CWE-732 Incorrect Permission Assignment for Critical Resource
X
X
19 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
X
X
21 CWE-307 Improper Restriction of Excessive Authentication Attempts
 
X
25 CWE-759 Use of a One-Way Hash without a Salt
 
X

There were 8 errors included in the 2010 CWE Top 25 that were omitted from the 2011 version. The 2010 list reads as follows:

Rank
ID
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
 
 
1 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
X
X
2 CWE-89 Failure to Preserve SQL Query Structure (aka 'SQL Injection')
X
X
4 CWE-352 Cross-Site Request Forgery (CSRF)
 
X
8 CWE-434 Unrestricted Upload of File with Dangerous Type
X
X
9 CWE-78 Failure to Preserve OS Command Structure (aka 'OS Command Injection')
X
X
17 CWE-209 Information Exposure Through an Error Message
X
X
23 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
X
X
25 CWE-362 Race Condition
 
X
Rank
ID
Risky Resource Management
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
 
 
3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
 
X
7 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
X
X
14 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
X
X
12 CWE-805 Buffer Access with Incorrect Length Value
 
X
13 CWE-754 Improper Check for Unusual or Exceptional Conditions
 
X
15 CWE-129 Improper Validation of Array Index
X
X
16 CWE-190 Integer Overflow or Wraparound
X
X
18 CWE-131 Incorrect Calculation of Buffer Size
 
X
20 CWE-494 Download of Code Without Integrity Check
X
X
21 CWE-770 Allocation of Resources Without Limits or Throttling
 
X
Rank
ID
Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
 
 
5 CWE-285 Improper Access Control (Authorization)
 
X
6 CWE-807 Reliance on Untrusted Inputs in a Security Decision
 
X
10 CWE-311 Missing Encryption of Sensitive Data
X
X
11 CWE-798 Use of Hard-coded Credentials
 
X
19 CWE-306 Missing Authentication for Critical Function
 
X
22 CWE-732 Incorrect Permission Assignment for Critical Resource
X
X
24 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
X
X