SANS 25

Summary

CWE/SANS TOP 25 Most Dangerous Software Errors is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. It presents detailed descriptions of the top 25 software errors along with authoritative guidance for mitigating and avoiding them. The version used in this section is CWE Top 25 2020.

Definitions

Definition	Requirements
SANS25-1. Out-of-bounds Write	157. Use the strict mode 345. Establish protections against overflows
SANS25-2. Improper neutralization of input during web page generation (cross-site scripting)	160. Encode system outputs 173. Discard unsafe inputs 029. Cookies with security attributes
SANS25-3. Improper neutralization of special elements used in an SQL command (SQL injection)	157. Use the strict mode 169. Use parameterized queries 173. Discard unsafe inputs 029. Cookies with security attributes
SANS25-4. User after free	157. Use the strict mode 158. Use a secure programming language 266. Disable insecure functionalities
SANS25-5. Improper neutralization of special elements used in an OS command (OS command injection)	158. Use a secure programming language 173. Discard unsafe inputs 265. Restrict access to critical processes 266. Disable insecure functionalities 342. Validate request parameters
SANS25-6. Improper input validation	164. Use optimized structures 173. Discard unsafe inputs 342. Validate request parameters
SANS25-7. Out-of-bounds read	157. Use the strict mode 158. Use a secure programming language 345. Establish protections against overflows
SANS25-8. Improper limitation of a pathname to a restricted directory (path traversal)	173. Discard unsafe inputs 280. Restrict service root directory 320. Avoid client-side control enforcement 342. Validate request parameters 381. Use of absolute paths
SANS25-9. Cross-site request forgery (CSRF)	174. Transactions without a distinguishable pattern 349. Include HTTP security headers 029. Cookies with security attributes
SANS25-10. Unrestricted upload of file with dangerous type	039. Define maximum file size 040. Compare file format and extension 041. Scan files for malicious code
SANS25-11. Missing authorization	341. Use the principle of deny by default 034. Manage user accounts 035. Manage privilege modifications 095. Define users with privileges 096. Set user's required privileges
SANS25-12. NULL pointer dereference	161. Define secure default options 266. Disable insecure functionalities 345. Establish protections against overflows 359. Avoid using generic exceptions 366. Associate type to variables 381. Use of absolute paths
SANS25-13. Improper authentication	114. Deny access with inactive credentials 122. Validate credential ownership 130. Limit password lifespan 138. Define lifespan for temporary passwords 140. Define OTP lifespan 153. Out of band transactions 227. Display access notification 229. Request access credentials 232. Require equipment identity 237. Ascertain human interaction 264. Request authentication 319. Make authentication options equally secure 335. Define out of band token lifespan 347. Invalidate previous OTPs 362. Assign MFA mechanisms to a single account 030. Avoid object reutilization
SANS25-14. Integer overflow or wraparound	345. Establish protections against overflows
SANS25-15. Deserialization of untrusted data	229. Request access credentials 321. Avoid deserializing untrusted data
SANS25-16. Improper neutralization of special elements used in a command (command injection)	172. Encrypt connection strings 173. Discard unsafe inputs 265. Restrict access to critical processes 344. Avoid dynamic code execution
SANS25-17. Improper restriction of operations within the bounds of a memory buffer	157. Use the strict mode 158. Use a secure programming language 164. Use optimized structures 266. Disable insecure functionalities 345. Establish protections against overflows
SANS25-18. Use of hard-coded credentials	126. Set a password regeneration mechanism 127. Store hashed passwords 134. Store passwords with salt 145. Protect system cryptographic keys 146. Remove cryptographic keys from RAM 181. Transmit data using secure protocols 185. Encrypt sensitive information 206. Configure communication protocols 224. Use secure cryptographic mechanisms 264. Request authentication 321. Avoid deserializing untrusted data 351. Assign unique keys to each device
SANS25-19. Server-side request forgery (SSRF)	173. Discard unsafe inputs 324. Control redirects 348. Use consistent encoding
SANS25-20. Missing authentication for critical function	229. Request access credentials 264. Request authentication 265. Restrict access to critical processes 328. Request MFA for critical systems
SANS25-21. Concurrent execution using shared resource with improper synchronization (Race condition)	264. Request authentication 337. Make critical logic flows thread safe 037. Parameters without sensitive data
SANS25-22. Improper Privilege Management	176. Restrict system objects 228. Authenticate using standard protocols 033. Restrict administrative access 095. Define users with privileges 096. Set user's required privileges
SANS25-23. Improper Control of Generation of Code ('Code Injection')	155. Application free of malicious code 159. Obfuscate code 164. Use optimized structures 173. Discard unsafe inputs 050. Control calls to interpreted code
SANS25-24. Incorrect Authorization	176. Restrict system objects 228. Authenticate using standard protocols 033. Restrict administrative access 095. Define users with privileges 096. Set user's required privileges
SANS25-25. Incorrect Default Permissions	142. Change system default credentials 161. Define secure default options

Last updated

2024/02/05