The CWE publishes an article entitled Top 25 Most Dangerous Software Errors. This post references the content on that site.
I don’t have original content to add to the very thorough discussion on the site; however, I thought I’d at least blog about this topic. It’s important that any programmer be familiar with the top 25 because they are so common. It’s also important that any business person in the tech industry be familiar with these errors so that he/she can verify that developers are coding with the appropriate security measure in mind.
To highlight recent exploits, LinkedIn was recently hacked AND did not salt their passwords, something every service with user credentials should do. Not salting passwords is #25 of the top 25. To briefly mention other incidents, Yahoo, AndroidForums and Formspring have all been hacked and have had user credentials stolen within the last month.
In the table below, I’ve listed the top 25 from the CWE link above. It’s no surprise that SQL injection is #1 in the list. If you’re looking to understand these errors better, you should read up.
| Rank | Score | ID | Name |
|---|---|---|---|
| [1] | 93.8 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| [2] | 83.3 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| [3] | 79.0 | CWE-120 | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) |
| [4] | 77.7 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| [5] | 76.9 | CWE-306 | Missing Authentication for Critical Function |
| [6] | 76.8 | CWE-862 | Missing Authorization |
| [7] | 75.0 | CWE-798 | Use of Hard-coded Credentials |
| [8] | 75.0 | CWE-311 | Missing Encryption of Sensitive Data |
| [9] | 74.0 | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| [10] | 73.8 | CWE-807 | Reliance on Untrusted Inputs in a Security Decision |
| [11] | 73.1 | CWE-250 | Execution with Unnecessary Privileges |
| [12] | 70.1 | CWE-352 | Cross-Site Request Forgery (CSRF) |
| [13] | 69.3 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| [14] | 68.5 | CWE-494 | Download of Code Without Integrity Check |
| [15] | 67.8 | CWE-863 | Incorrect Authorization |
| [16] | 66.0 | CWE-829 | Inclusion of Functionality from Untrusted Control Sphere |
| [17] | 65.5 | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| [18] | 64.6 | CWE-676 | Use of Potentially Dangerous Function |
| [19] | 64.1 | CWE-327 | Use of a Broken or Risky Cryptographic Algorithm |
| [20] | 62.4 | CWE-131 | Incorrect Calculation of Buffer Size |
| [21] | 61.5 | CWE-307 | Improper Restriction of Excessive Authentication Attempts |
| [22] | 61.1 | CWE-601 | URL Redirection to Untrusted Site (‘Open Redirect’) |
| [23] | 61.0 | CWE-134 | Uncontrolled Format String |
| [24] | 60.3 | CWE-190 | Integer Overflow or Wraparound |
| [25] | 59.9 | CWE-759 | Use of a One-Way Hash without a Salt |