Description

What is CWE/SANS Top 25?

CWE/SANS Top 25 is a set of 25 rules classified in 3 categories, relative to most dangerous programming errors.

• Insecure Interaction Between Components (8 errors)
• Risky Resource Management (10 errors)
• Porous Defenses (7 errors)

Classification

Global risk of each vulnerability is based on qualitative indicators:

• Weakness Prevalence: the term prevalence has been borrowed from the epidemiological field. In a nutshell, it represents the total number of cases in the total number of attacks at a given time.
• Remediation Cost: the amount of effort required to fix the weakness.
• Attack Frequency: how often the weakness occurs in vulnerabilities that are exploited by an attacker.
• Consequences: potential impacts of the attack (e.g. data loss, session theft, denial of access, ...)
• Ease of Detection: how easy it is for an attacker to find this weakness.
• Attacker Awareness: the likelihood that an attacker is going to be aware of this particular weakness, methods for detection, and methods for exploitation.

Classification

Insecure Interaction Between Components

• CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')
• CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
• CWE-352: Cross-Site Request Forgery (CSRF)
• CWE-434: Unrestricted Upload of File with Dangerous Type
• CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
• CWE-209: Information Exposure Through an Error Message
• CWE-601: URL Redirection to Untrusted Site ('Open Redirect')
• CWE-362: Race Condition

Risky Resource Management

• CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
• CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
• CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
• CWE-805: Buffer Access with Incorrect Length Value
• CWE-754: Improper Check for Unusual or Exceptional Conditions
• CWE-129: Improper Validation of Array Index
• CWE-190: Integer Overflow or Wraparound
• CWE-131: Incorrect Calculation of Buffer Size
• CWE-494: Download of Code Without Integrity Check
• CWE-770: Allocation of Resources Without Limits or Throttling

Porous Defenses

• CWE-285: Improper Access Control (Authorization)
• CWE-807: Reliance on Untrusted Inputs in a Security Decision
• CWE-311: Missing Encryption of Sensitive Data
• CWE-798: Use of Hard-coded Credentials
• CWE-306: Missing Authentication for Critical Function
• CWE-732: Incorrect Permission Assignment for Critical Resource
• CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Comments

Talk:CWE-SANS-Top-25