CWE/SANS TOP 25

VERAFIED Software Directory
VERAFIED Security Marks
VERAFIED Methodology
Get Your Software VERAFIED

The ability to rate software security levels allows companies to manage risk by determining whether or not the software meets their requirements.

– Diana Kelley, principal analyst, SecurityCurve

VERAFIED Security Mark for the CWE/SANS TOP 25

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant errors that can lead to serious software vulnerabilities. The errors on this list occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

Although Veracode SecurityReview detects hundreds of software security flaws, we provide a razor focus on finding the problems that are “worth fixing”. The CWE/SANS Top 25 is a list of flaws so prevalent and severe that no non-web applications should be delivered to customers without some evidence that the software does not contain these errors.

The following table identifies technical flaws found through automated analysis used to achieve the VERAFIED security mark and the additional coverage provided through manual penetration testing to detect business logic and design errors to achieve the VERAFIED HIGH ASSURANCE security mark for the 2010 CWE/SANS Top 25.

Rank
ID
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
1 CWE-79 Failure to Preserve Web Page Structure ('Cross-site Scripting')
X
X
2 CWE-89 Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
X
X
4 CWE-352 Cross-Site Request Forgery (CSRF)
X
8 CWE-434 Unrestricted Upload of File with Dangerous Type
X
9 CWE-78 Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
X
X
17 CWE-209 Information Exposure Through an Error Message
X
X
23 CWE-601 URL Redirection to Untrusted Site ('Open Redirect')
X
X
25 CWE-362 Race Condition
X
X
Rank
ID
Risky Resource Management
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
3 CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
X
X
7 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
X
X
12 CWE-805 Buffer Access with Incorrect Length Value
X
X
13 CWE-754 Improper Check for Unusual or Exceptional Conditions
X
14 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
X
X
15 CWE-129 Improper Validation of Array Index
X
X
16 CWE-190 Integer Overflow or Wraparound
X
X
18 CWE-131 Incorrect Calculation of Buffer Size
X
X
20 CWE-494 Download of Code Without Integrity Check
X
22 CWE-770 Allocation of Resources Without Limits or Throttling
X
Rank
ID
Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
5 CWE-285 Improper Access Control (Authorization)
X
6 CWE-807 Reliance on Untrusted Inputs in a Security Decision
X
X
10 CWE-311 Missing Encryption of Sensitive Data
X
X
11 CWE-789 Use of Hard-coded Credentials
X
X
19 CWE-306 Missing Authentication for Critical Function
X
21 CWE-732 Incorrect Permission Assignment for Critical Resource
X
24 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
X
X




Veracode Security Solutions
Security Threat Guides