This week, we’ll take a look at the recently published CWE Top 25 Most Dangerous Programming Errors. Since the Top 25 are broken into three main categories, it makes sense to address the list in three separate segments. But first, let’s review what the CWE Top 25 is and its importance.
The CWE Top 25 Most Dangerous Programming Errors was developed in late 2008 by over 30 industry experts in collaboration with SANS and Mitre to highlight the dangerous and common programming errors affecting today’s applications.
Although this list does not directly address web-based programming errors, it certainly applies to today’s most commonly abused web application security flaws.
Over the next 3 installments of this article, we will discuss the common assessment and remediation points of the entire list, and how your organization can defend against them. You may be surprised to find that the majority of these issues come down to lazy programming, and an overall lack of knowledge of basic HTML concepts.
We will discuss the specifics of each of the Top 25 and give specific examples of poorly-coded web apps that lead to these exposures, as well as the simple methods of remediation. We will also reference numerous external sources to help you with identifying where these principles of secure coding can be introduced into your organization’s SDLC.
The Top 25
Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
* CWE-20: Improper Input Validation
* CWE-116: Improper Encoding or Escaping of Output
* CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
* CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
* CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
* CWE-319: Cleartext Transmission of Sensitive Information
* CWE-352: Cross-Site Request Forgery (CSRF)
* CWE-362: Race Condition
* CWE-209: Error Message Information Leak
Risky Resource Management
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.
* CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
* CWE-642: External Control of Critical State Data
* CWE-73: External Control of File Name or Path
* CWE-426: Untrusted Search Path
* CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
* CWE-494: Download of Code Without Integrity Check
* CWE-404: Improper Resource Shutdown or Release
* CWE-665: Improper Initialization
* CWE-682: Incorrect Calculation
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
* CWE-285: Improper Access Control (Authorization)
* CWE-327: Use of a Broken or Risky Cryptographic Algorithm
* CWE-259: Hard-Coded Password
* CWE-732: Insecure Permission Assignment for Critical Resource
* CWE-330: Use of Insufficiently Random Values
* CWE-250: Execution with Unnecessary Privileges
* CWE-602: Client-Side Enforcement of Server-Side Security