Top 25 Most Dangerous Software Errors

The CWE publishes an article entitled Top 25 Most Dangerous Software Errors. This post references the content on that site.

I don’t have original content to add to the very thorough discussion on the site; however, I thought I’d at least blog about this topic. It’s important that any programmer be familiar with the top 25 because they are so common. It’s also important that any business person in the tech industry be familiar with these errors so that he/she can verify that developers are coding with the appropriate security measure in mind.

To highlight recent exploits, LinkedIn was recently hacked AND did not salt their passwords, something every service with user credentials should do. Not salting passwords is #25 of the top 25. To briefly mention other incidents, Yahoo, AndroidForums and Formspring have all been hacked and have had user credentials stolen within the last month.

In the table below, I’ve listed the top 25 from the CWE link above. It’s no surprise that SQL injection is #1 in the list. If you’re looking to understand these errors better, you should read up.

Rank Score ID Name
[1] 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
[2] 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
[3] 79.0 CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
[4] 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
[5] 76.9 CWE-306 Missing Authentication for Critical Function
[6] 76.8 CWE-862 Missing Authorization
[7] 75.0 CWE-798 Use of Hard-coded Credentials
[8] 75.0 CWE-311 Missing Encryption of Sensitive Data
[9] 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type
[10] 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision
[11] 73.1 CWE-250 Execution with Unnecessary Privileges
[12] 70.1 CWE-352 Cross-Site Request Forgery (CSRF)
[13] 69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
[14] 68.5 CWE-494 Download of Code Without Integrity Check
[15] 67.8 CWE-863 Incorrect Authorization
[16] 66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere
[17] 65.5 CWE-732 Incorrect Permission Assignment for Critical Resource
[18] 64.6 CWE-676 Use of Potentially Dangerous Function
[19] 64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
[20] 62.4 CWE-131 Incorrect Calculation of Buffer Size
[21] 61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts
[22] 61.1 CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
[23] 61.0 CWE-134 Uncontrolled Format String
[24] 60.3 CWE-190 Integer Overflow or Wraparound
[25] 59.9 CWE-759 Use of a One-Way Hash without a Salt

One Comment

  1. I’ve heard the names of many of these float around, but this was a solid reminder. I’m not entirely sure how to code to prevent most of these, but it certainly makes me much more cautious. I’d actually love to see more security design and and code review steps in the standard SDLC now that I think about it. I know it’s just about the last thing on my mind when I’m coding/designing.

    Reply

Comments, questions and feedback welcome.