CWE/SANS TOP 25

Veracode CWE Support

Download the list of CWEs Veracode tests for. This list reflects the CWEs that Veracode tests for using automated static and dynamic scanning. The Veracode platform may report flaws in other CWEs if the results of a manual penetration test are included alongside the scan results. Where a flaw may be mapped to several CWEs, Veracode generally reports the most general CWE that describes that particular case (e.g. CWE 80 is preferred for cross-site scripting over its child CWEs). This list is updated frequently.

VERAFIED Security Mark for the CWE/SANS TOP 25

The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant errors that can lead to serious software vulnerabilities. The errors on this list occur frequently, are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

Although Veracode SecurityReview detects hundreds of software security flaws, we provide a razor focus on finding the problems that are “worth fixing”. The CWE/SANS Top 25 is a list of flaws so prevalent and severe that no non-web applications should be delivered to customers without some evidence that the software does not contain these errors.

The following table identifies technical flaws found through automated analysis used to achieve the VERAFIED security mark and the additional coverage provided through manual penetration testing to detect business logic and design errors to achieve the VERAFIED HIGH ASSURANCE security mark for the 2010 CWE/SANS Top 25.

Rank	ID	Insecure Interaction Between Components These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
1	CWE-79	Failure to Preserve Web Page Structure ('Cross-site Scripting')	X	X
2	CWE-89	Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')	X	X
4	CWE-352	Cross-Site Request Forgery (CSRF)		X
8	CWE-434	Unrestricted Upload of File with Dangerous Type		X
9	CWE-78	Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')	X	X
17	CWE-209	Information Exposure Through an Error Message	X	X
23	CWE-601	URL Redirection to Untrusted Site ('Open Redirect')	X	X
25	CWE-362	Race Condition	X	X
Rank	ID	Risky Resource Management These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
3	CWE-120	Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')	X	X
7	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')	X	X
12	CWE-805	Buffer Access with Incorrect Length Value	X	X
13	CWE-754	Improper Check for Unusual or Exceptional Conditions		X
14	CWE-98	Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')	X	X
15	CWE-129	Improper Validation of Array Index	X	X
16	CWE-190	Integer Overflow or Wraparound	X	X
18	CWE-131	Incorrect Calculation of Buffer Size	X	X
20	CWE-494	Download of Code Without Integrity Check		X
22	CWE-770	Allocation of Resources Without Limits or Throttling		X
Rank	ID	Porous Defenses The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
5	CWE-285	Improper Access Control (Authorization)		X
6	CWE-807	Reliance on Untrusted Inputs in a Security Decision	X	X
10	CWE-311	Missing Encryption of Sensitive Data	X	X
11	CWE-789	Use of Hard-coded Credentials	X	X
19	CWE-306	Missing Authentication for Critical Function		X
21	CWE-732	Incorrect Permission Assignment for Critical Resource		X
24	CWE-327	Use of a Broken or Risky Cryptographic Algorithm	X	X