Sans Institute, the largest information security firm in association with software and security giants including Microsoft, Symantec, McAfee, published a hot 25 programming errors under three categories:
- Insecure interaction between components (9)
- Risky resource management (9)
- Porous defenses (7)
Insecure interaction between components
- CWE-20: Improper Input Validation
- CWE-116: Improper Encoding or Escaping of Output
- CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
- CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
- CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
- CWE-319: Cleartext Transmission of Sensitive Information
- CWE-352: Cross-Site Request Forgery (CSRF)
- CWE-362: Race Condition
- CWE-209: Error Message Information Leak
Risky resource management
- CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
- CWE-642: External Control of Critical State Data
- CWE-73: External Control of File Name or Path
- CWE-426: Untrusted Search Path
- CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
- CWE-494: Download of Code Without Integrity Check
- CWE-404: Improper Resource Shutdown or Release
- CWE-665: Improper Initialization
- CWE-682: Incorrect Calculation
Porous defenses
- CWE-285: Improper Access Control (Authorization)
- CWE-259: Hard-Coded Password
- CWE-732: Insecure Permission Assignment for Critical Resource
- CWE-330: Use of Insufficiently Random Values
- CWE-250: Execution with Unnecessary Privileges
- CWE-602: Client-Side Enforcement of Server-Side Security
Our responsibility is to literate these top 25 errors to your colleagues, friends and follow these guidelines during your product development.
More details about the list, visit here.
