MichaelvdV@Atos

The top 25 most dangerous software errors

Blog Post created by MichaelvdV@Atos on Jul 8, 2011

MITRE released the 2011 'Top 25 most dangerous software errors'. You can find it on the CWE website.

 

While it is a very long document, and it looks a bit intimidating, it is actually a very good read (well, maybe not all of it, but it is very interesting to browse trough). They offer a lot of in-depth information with code samples. I think this is a must read for people who develop software in critical environments (that's us...). The list offers information about the severity, attack frequency, consequences, etc.

 

Here's a summary of the top 25 most dangerous software errors, with links to sections in the article:

[01]

93.8

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

[02]

83.3

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

[03]

79.0

CWE-120

Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

[04]

77.7

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

[05]

76.9

CWE-306

Missing Authentication for Critical Function

[06]

76.8

CWE-862

Missing Authorization

[07]

75.0

CWE-798

Use of Hard-coded Credentials

[08]

75.0

CWE-311

Missing Encryption of Sensitive Data

[09]

74.0

CWE-434

Unrestricted Upload of File with Dangerous Type

[10]

73.8

CWE-807

Reliance on Untrusted Inputs in a Security Decision

[11]

73.1

CWE-250

Execution with Unnecessary Privileges

[12]

70.1

CWE-352

Cross-Site Request Forgery (CSRF)

[13]

69.3

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

[14]

68.5

CWE-494

Download of Code Without Integrity Check

[15]

67.8

CWE-863

Incorrect Authorization

[16]

66.0

CWE-829

Inclusion of Functionality from Untrusted Control Sphere

[17]

65.5

CWE-732

Incorrect Permission Assignment for Critical Resource

[18]

64.6

CWE-676

Use of Potentially Dangerous Function

[19]

64.1

CWE-327

Use of a Broken or Risky Cryptographic Algorithm

[20]

62.4

CWE-131

Incorrect Calculation of Buffer Size

[21]

61.5

CWE-307

Improper Restriction of Excessive Authentication Attempts

[22]

61.1

CWE-601

URL Redirection to Untrusted Site ('Open Redirect')

[23]

61.0

CWE-134

Uncontrolled Format String

[24]

60.3

CWE-190

Integer Overflow or Wraparound

[25]

59.9

CWE-759

Use of a One-Way Hash without a Salt

Outcomes