[development] 2009 CWE/SANS Top 25 Most Dangerous Programming Errors
Darly Coupet
darlycoupet at gmail.com
Mon Jan 12 21:39:56 UTC 2009
2009 CWE/SANS Top 25 Most Dangerous Programming Errors
http://cwe.mitre.org/top25/#CWE-20
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and
received between separate components, modules, programs, processes, threads,
or systems.
- CWE-20 <http://cwe.mitre.org/top25/#CWE-20>: Improper Input Validation
- CWE-116 <http://cwe.mitre.org/top25/#CWE-116>: Improper Encoding or
Escaping of Output
- CWE-89 <http://cwe.mitre.org/top25/#CWE-89>: Failure to Preserve SQL
Query Structure (aka 'SQL Injection')
- CWE-79 <http://cwe.mitre.org/top25/#CWE-79>: Failure to Preserve Web
Page Structure (aka 'Cross-site Scripting')
- CWE-78 <http://cwe.mitre.org/top25/#CWE-78>: Failure to Preserve OS
Command Structure (aka 'OS Command Injection')
- CWE-319 <http://cwe.mitre.org/top25/#CWE-319>: Cleartext Transmission
of Sensitive Information
- CWE-352 <http://cwe.mitre.org/top25/#CWE-352>: Cross-Site Request
Forgery (CSRF)
- CWE-362 <http://cwe.mitre.org/top25/#CWE-362>: Race Condition
- CWE-209 <http://cwe.mitre.org/top25/#CWE-209>: Error Message
Information Leak
Risky Resource Management
The weaknesses in this category are related to ways in which software does
not properly manage the creation, usage, transfer, or destruction of
important system resources.
- CWE-119 <http://cwe.mitre.org/top25/#CWE-119>: Failure to Constrain
Operations within the Bounds of a Memory Buffer
- CWE-642 <http://cwe.mitre.org/top25/#CWE-642>: External Control of
Critical State Data
- CWE-73 <http://cwe.mitre.org/top25/#CWE-73>: External Control of File
Name or Path
- CWE-426 <http://cwe.mitre.org/top25/#CWE-426>: Untrusted Search Path
- CWE-94 <http://cwe.mitre.org/top25/#CWE-94>: Failure to Control
Generation of Code (aka 'Code Injection')
- CWE-494 <http://cwe.mitre.org/top25/#CWE-494>: Download of Code Without
Integrity Check
- CWE-404 <http://cwe.mitre.org/top25/#CWE-404>: Improper Resource
Shutdown or Release
- CWE-665 <http://cwe.mitre.org/top25/#CWE-665>: Improper Initialization
- CWE-682 <http://cwe.mitre.org/top25/#CWE-682>: Incorrect Calculation
Porous Defenses
The weaknesses in this category are related to defensive techniques that are
often misused, abused, or just plain ignored.
- CWE-285 <http://cwe.mitre.org/top25/#CWE-285>: Improper Access Control
(Authorization)
- CWE-327 <http://cwe.mitre.org/top25/#CWE-327>: Use of a Broken or Risky
Cryptographic Algorithm
- CWE-259 <http://cwe.mitre.org/top25/#CWE-259>: Hard-Coded Password
- CWE-732 <http://cwe.mitre.org/top25/#CWE-732>: Insecure Permission
Assignment for Critical Resource
- CWE-330 <http://cwe.mitre.org/top25/#CWE-330>: Use of Insufficiently
Random Values
- CWE-250 <http://cwe.mitre.org/top25/#CWE-250>: Execution with
Unnecessary Privileges
- CWE-602 <http://cwe.mitre.org/top25/#CWE-602>: Client-Side Enforcement
of Server-Side Security
Darly
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.drupal.org/pipermail/development/attachments/20090112/662578a7/attachment.htm
More information about the development
mailing list