Top 25 Software Errors (CWE) and Resources for Mitigation

Clicking any CWE ID in the list will take you to the corresponding entry on the MITRE CWE site, where you can find ranking, full entry data, vulnerability prevalence and consequence fields, remediation cost, discoverability, code examples, detection methods, attack frequency and attacker awareness, related CWE entries, and associated attack patterns.

Each of the top‑25 software error entries also includes extensive prevention and remediation steps that developers can follow to mitigate or eliminate the weakness.

CWE Top 25

Rank

ID

Name

[1]

CWE-119

Improper Restriction of Operations within the Bounds of a Memory Buffer

[2]

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

[3]

CWE-20

Improper Input Validation

[4]

CWE-200

Information Exposure

[5]

CWE-125

Out-of-bounds Read

[6]

CWE-89

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

[7]

CWE-416

Use After Free

[8]

CWE-190

Integer Overflow or Wraparound

[9]

CWE-352

Cross-Site Request Forgery (CSRF)

[10]

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

[11]

CWE-78

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

[12]

CWE-787

Out-of-bounds Write

[13]

CWE-287

Improper Authentication

[14]

CWE-476

NULL Pointer Dereference

[15]

CWE-732

Incorrect Permission Assignment for Critical Resource

[16]

CWE-434

Unrestricted Upload of File with Dangerous Type

[17]

CWE-611

Improper Restriction of XML External Entity Reference

[18]

CWE-94

Improper Control of Generation of Code ('Code Injection')

[19]

CWE-798

Use of Hard-coded Credentials

[20]

CWE-400

Uncontrolled Resource Consumption

[21]

CWE-772

Missing Release of Resource after Effective Lifetime

[22]

CWE-426

Untrusted Search Path

[23]

CWE-502

Deserialization of Untrusted Data

[24]

CWE-269

Improper Privilege Management

[25]

CWE-295

Improper Certificate Validation

Rank

ID

Name

[1]

CWE-119

内存缓冲区范围内的操作限制不正确

[2]

CWE-79

网页生成过程中输入的中和不正确（“跨站点脚本”）

[3]

CWE-20

输入验证不正确

[4]

CWE-200

信息披露

[5]

CWE-125

越界读取

[6]

CWE-89

SQL命令中使用的特殊元素的不正确中和（“SQL注入”）

[7]

CWE-416

释放后使用

[8]

CWE-190

整数溢出或环绕

[9]

CWE-352

跨站点请求伪造（CSRF）

[10]

CWE-22

路径名对受限制目录的限制不正确（“路径遍历”）

[11]

CWE-78

操作系统命令中使用的特殊元素的不正确中和（“操作系统命令注入”）

[12]

CWE-787

越界写入

[13]

CWE-287

身份验证不正确

[14]

CWE-476

空指针取消引用

[15]

CWE-732

关键资源的权限分配不正确

[16]

CWE-434

不受限制地上载危险类型的文件

[17]

CWE-611

XML外部实体引用的限制不正确

[18]

CWE-94

代码生成控制不当（“代码注入”）

[19]

CWE-798

硬编码凭证的使用

[20]

CWE-400

不受控制的资源消耗

[21]

CWE-772

有效生存期后缺少资源释放

[22]

CWE-426

不受信任的搜索路径

[23]

CWE-502

不可信数据的反序列化

[24]

CWE-269

权限管理不当

[25]

CWE-295

证书验证不正确

Resources to Help Eliminate the Top 25 Software Errors

SANS Application Security Courses

The SANS Application Security curriculum provides world‑class education for designing, developing, procuring, deploying, and managing secure software. Courses such as DEV522 (Protecting Web Application Security Essentials), DEV534 (Secure DevOps: A Practical Introduction), and DEV540 (Secure DevOps & Cloud Application Security) cover concepts applicable to your software security program from day one.

SANS also maintains an Application Security Talent Assessment that measures secure coding skills, helping programmers identify knowledge gaps and enabling buyers to verify that outsourced developers possess adequate secure coding abilities. The assessment is available at https://www.sans.org/cybertalent/assessment-detail?msc=top25hp#appsec.

Developer Security Awareness Training

SANS offers precise software security awareness training that can be delivered on‑demand at the developer’s desk. The training consists of more than 30 modules, each 7‑10 minutes long, covering the full breadth and depth of PCI DSS 6.5 compliance topics and essential secure software development practices.

Regular Updates of the Top 25 List

The CWE Top 25 Software Errors site, maintained by MITRE with support from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, provides detailed descriptions of the top 25 weaknesses and authoritative guidance for mitigation. The site also contains data on over 700 additional software, design, and architecture errors that may lead to exploitable vulnerabilities.

SAFECode Publications

The Software Assurance Forum for Excellence in Code (SAFECode), with members such as EMC, Juniper, Microsoft, Nokia, SAP, and Symantec, has published two books outlining industry best practices for software assurance and offering practical advice for implementing verified secure software development methods.

Software Assurance Community Resources and DHS Site

As part of DHS risk mitigation efforts, the Software Assurance Program aims to reduce software vulnerabilities, limit exploitability, and provide predictable processes for acquiring, developing, and deploying reliable, trustworthy software while enhancing diagnostic capabilities to analyze systems for exploitable weaknesses.

Original source: https://www.sans.org/top25-software-errors/

Article: http://jiagoushi.pro/node/1078

Discussion: Join the Knowledge Planet “Chief Architect Circle” or the small account “jiagoushi_pro”.