2009 CWE/SANS Top 25 Most Dangerous Programming Errors<br><a href="http://cwe.mitre.org/top25/#CWE-20">http://cwe.mitre.org/top25/#CWE-20</a><br><h3>Insecure Interaction Between Components</h3>
<p>These weaknesses are related to insecure ways in which data is sent
and received between separate components, modules, programs,
processes, threads, or systems.
</p>
<ul><li><a href="http://cwe.mitre.org/top25/#CWE-20">CWE-20</a>: Improper Input Validation </li><li><a href="http://cwe.mitre.org/top25/#CWE-116">CWE-116</a>: Improper Encoding or Escaping of Output </li><li><a href="http://cwe.mitre.org/top25/#CWE-89">CWE-89</a>: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
</li><li><a href="http://cwe.mitre.org/top25/#CWE-79">CWE-79</a>: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
</li><li><a href="http://cwe.mitre.org/top25/#CWE-78">CWE-78</a>: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
</li><li><a href="http://cwe.mitre.org/top25/#CWE-319">CWE-319</a>: Cleartext Transmission of Sensitive Information </li><li><a href="http://cwe.mitre.org/top25/#CWE-352">CWE-352</a>: Cross-Site Request Forgery (CSRF) </li>
<li><a href="http://cwe.mitre.org/top25/#CWE-362">CWE-362</a>: Race Condition </li><li><a href="http://cwe.mitre.org/top25/#CWE-209">CWE-209</a>: Error Message Information Leak </li></ul>
<h3>Risky Resource Management</h3>
<p>The weaknesses in this category are related to ways in which software
does not properly manage the creation, usage, transfer, or destruction
of important system resources.
</p>
<ul><li><a href="http://cwe.mitre.org/top25/#CWE-119">CWE-119</a>: Failure to Constrain Operations within the Bounds of a Memory Buffer
</li><li><a href="http://cwe.mitre.org/top25/#CWE-642">CWE-642</a>: External Control of Critical State Data </li><li><a href="http://cwe.mitre.org/top25/#CWE-73">CWE-73</a>: External Control of File Name or Path </li><li>
<a href="http://cwe.mitre.org/top25/#CWE-426">CWE-426</a>: Untrusted Search Path </li><li><a href="http://cwe.mitre.org/top25/#CWE-94">CWE-94</a>: Failure to Control Generation of Code (aka 'Code Injection')
</li><li><a href="http://cwe.mitre.org/top25/#CWE-494">CWE-494</a>: Download of Code Without Integrity Check </li><li><a href="http://cwe.mitre.org/top25/#CWE-404">CWE-404</a>: Improper Resource Shutdown or Release </li>
<li><a href="http://cwe.mitre.org/top25/#CWE-665">CWE-665</a>: Improper Initialization </li><li><a href="http://cwe.mitre.org/top25/#CWE-682">CWE-682</a>: Incorrect Calculation </li></ul>
<h3>Porous Defenses</h3>
<p>The weaknesses in this category are related to defensive techniques
that are often misused, abused, or just plain ignored.
</p>
<ul><li><a href="http://cwe.mitre.org/top25/#CWE-285">CWE-285</a>: Improper Access Control (Authorization) </li><li><a href="http://cwe.mitre.org/top25/#CWE-327">CWE-327</a>: Use of a Broken or Risky Cryptographic Algorithm
</li><li><a href="http://cwe.mitre.org/top25/#CWE-259">CWE-259</a>: Hard-Coded Password </li><li><a href="http://cwe.mitre.org/top25/#CWE-732">CWE-732</a>: Insecure Permission Assignment for Critical Resource
</li><li><a href="http://cwe.mitre.org/top25/#CWE-330">CWE-330</a>: Use of Insufficiently Random Values </li><li><a href="http://cwe.mitre.org/top25/#CWE-250">CWE-250</a>: Execution with Unnecessary Privileges </li><li><a href="http://cwe.mitre.org/top25/#CWE-602">CWE-602</a>: Client-Side Enforcement of Server-Side Security
</li></ul>Darly<br>