2011 CWE/SANS top 25 most dangerous software errors

SANS and Mitre have released the CWE/SANS Top 25 Most Dangerous Software Errors list for 2011.

The list was compiled with the help of a great number of security experts from a variety of security firms and organizations, and NSA and DHS cyber security divisions.

The list reads as follows:

1. Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) – CWE-89

2. Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) – CWE-78

3. Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) – CWE-120

4. Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) – CWE-79

5. Missing Authentication for Critical Function – CWE-306

6. Missing Authorization – CWE-862

7. Use of Hard-coded Credentials – CWE-798

8. Missing Encryption of Sensitive Data – CWE-311

9. Unrestricted Upload of File with Dangerous Type – CWE-434

10. Reliance on Untrusted Inputs in a Security Decision – CWE-807

11. Execution with Unnecessary Privileges – CWE-250

12. Cross-Site Request Forgery (CSRF) – CWE-352

13. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) – CWE-22

14. Download of Code Without Integrity Check – CWE-494

15. Incorrect Authorization – CWE-863

16. Inclusion of Functionality from Untrusted Control Sphere – CWE-829

17. Incorrect Permission Assignment for Critical Resource – CWE-732

18. Use of Potentially Dangerous Function – CWE-676

19. Use of a Broken or Risky Cryptographic Algorithm – CWE-327

20. Incorrect Calculation of Buffer Size – CWE-131

21. Improper Restriction of Excessive Authentication Attempts – CWE-307

22. URL Redirection to Untrusted Site (‘Open Redirect’) – CWE-601

23. Uncontrolled Format String – CWE-134

24. Integer Overflow or Wraparound – CWE-190

25. Use of a One-Way Hash without a Salt – CWE-759.

For more details, download the PDF file.