VERAFIED Security Mark for the CWE/SANS TOP 25
The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant errors that can lead to serious software vulnerabilities. The errors on this list occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.
Although Veracode SecurityReview detects hundreds of software security flaws, we provide a razor focus on finding the problems that are “worth fixing”. The CWE/SANS Top 25 is a list of flaws so prevalent and severe that no non-web applications should be delivered to customers without some evidence that the software does not contain these errors.
The following table identifies technical flaws found through automated analysis used to achieve the VERAFIED security mark and the additional coverage provided through manual penetration testing to detect business logic and design errors to achieve the VERAFIED HIGH ASSURANCE security mark for the 2010 CWE/SANS Top 25.
| Rank |
ID |
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems. |
|
|
| 1 |
CWE-79 |
Failure to Preserve Web Page Structure ('Cross-site Scripting') |
X |
X |
2 |
CWE-89 |
Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection') |
X |
X |
| 4 |
CWE-352 |
Cross-Site Request Forgery (CSRF) |
|
X |
| 8 |
CWE-434 |
Unrestricted Upload of File with Dangerous Type |
|
X |
| 9 |
CWE-78 |
Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection') |
X |
X |
| 17 |
CWE-209 |
Information Exposure Through an Error Message |
X |
X |
| 23 |
CWE-601 |
URL Redirection to Untrusted Site ('Open Redirect') |
X |
X |
| 25 |
CWE-362 |
Race Condition |
X |
X |
| Rank |
ID |
Risky Resource Management
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
|
|
|
| 3 |
CWE-120 |
Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') |
X |
X |
| 7 |
CWE-22 |
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
X |
X |
| 12 |
CWE-805 |
Buffer Access with Incorrect Length Value |
X |
X |
| 13 |
CWE-754 |
Improper Check for Unusual or Exceptional Conditions |
|
X |
| 14 |
CWE-98 |
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion') |
X |
X |
| 15 |
CWE-129 |
Improper Validation of Array Index |
X |
X |
| 16 |
CWE-190 |
Integer Overflow or Wraparound |
X |
X |
| 18 |
CWE-131 |
Incorrect Calculation of Buffer Size |
X |
X |
| 20 |
CWE-494 |
Download of Code Without Integrity Check |
|
X |
| 22 |
CWE-770 |
Allocation of Resources Without Limits or Throttling |
|
X |
| Rank |
ID |
Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
|
|
|
| 5 |
CWE-285 |
Improper Access Control (Authorization) |
|
X |
| 6 |
CWE-807 |
Reliance on Untrusted Inputs in a Security Decision |
X |
X |
| 10 |
CWE-311 |
Missing Encryption of Sensitive Data |
X |
X |
| 11 |
CWE-789 |
Use of Hard-coded Credentials |
X |
X |
| 19 |
CWE-306 |
Missing Authentication for Critical Function |
|
X |
| 21 |
CWE-732 |
Incorrect Permission Assignment for Critical Resource |
|
X |
| 24 |
CWE-327 |
Use of a Broken or Risky Cryptographic Algorithm |
X |
X |