CWE/SANS 25 Most Dangerous Programming Mistakes

Posted by Mike on Jan 13th, 2009

A new list of the most dangerous programming mistakes was released today by SANS Institute. This is a great followup to the OWASP Top 10. The list of potential application security flaws is broken up into three sections, one for dealing with each of application component interaction, resource management, and weak defenses.

CATEGORY: Insecure Interaction Between Components
CWE-20: Improper Input Validation
CWE-116: Improper Encoding or Escaping of Output
CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
CWE-319: Cleartext Transmission of Sensitive Information
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-362: Race Condition
CWE-209: Error Message Information Leak

CATEGORY: Risky Resource Management
CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-642: External Control of Critical State Data
CWE-73: External Control of File Name or Path
CWE-426: Untrusted Search Path
CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
CWE-494: Download of Code Without Integrity Check
CWE-404: Improper Resource Shutdown or Release
CWE-665: Improper Initialization
CWE-682: Incorrect Calculation

CATEGORY: Porous Defenses
CWE-285: Improper Access Control (Authorization)
CWE-327: Use of a Broken or Risky Cryptographic Algorithm
CWE-259: Hard-Coded Password
CWE-732: Insecure Permission Assignment for Critical Resource
CWE-330: Use of Insufficiently Random Values
CWE-250: Execution with Unnecessary Privileges
CWE-602: Client-Side Enforcement of Server-Side Security

Most of these are also listed on the OWASP Top 10, last updated in 2007 and summarized below. Some come under different names, and I tend to prefer the more generic terms described in the new list of 25.

A1 – Cross Site Scripting (XSS)
A2 – Injection Flaws
A3 – Malicious File Execution
A4 – Insecure Direct Object Reference
A5 – Cross Site Request Forgery (CSRF)
A6 – Information Leakage and Improper Error Handling
A7 – Broken Authentication and Session Management
A8 – Insecure Cryptographic Storage
A9 – Insecure Communications
A10 – Failure to Restrict URL Access

It’s our responsibility as software developers to be aware of these and ensure our architectures and modules do not expose any of these well-defined and documented vulnerabilities.

Share/Bookmark

Subscribe to RSS feed

Recent Tweets

@benjaminws hey now i just told about the breakage. *redirects glare to @aaron_oliver* 2010/07/28
just got back from a family photo shoot with Lance Anderson. Joey looked so good! check out lance if you need photos http://bit.ly/ci0YXp 2010/07/28
really digging digg's continuous deploy workflow http://about.digg.com/blog/continuous-deployment-code-review-and-pre-tested-commits-digg4 2010/07/23
SWAGs are now consistently high for low-priority stories since i've grouped them. but that's ok. 2010/07/23
minimizing my backlog. keeping high priority stories granular, but trying to group together lower priority stories knowing they'll change. 2010/07/23

Mike's Blabberings

on software, testing, and the web.

CWE/SANS 25 Most Dangerous Programming Mistakes

Leave a Comment

Tags

Categories

Recent Posts

Archives

Recent Tweets