Below are the list of CWE released by SANS (Jun 27, 2011) to help eliminate the top 25 software errors.
The CWE Top 25
| Rank | ID | Name |
|---|---|---|
| 1 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') |
| 3 | CWE-20 | Improper Input Validation |
| 4 | CWE-200 | Information Exposure |
| 5 | CWE-125 | Out-of-bounds Read |
| 6 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') |
| 7 | CWE-416 | Use After Free |
| 8 | CWE-190 | Integer Overflow or Wraparound |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 10 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') |
| 11 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') |
| 12 | CWE-787 | Out-of-bounds Write |
| 13 | CWE-287 | Improper Authentication |
| 14 | CWE-476 | NULL Pointer Dereference |
| 15 | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 16 | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| 17 | CWE-611 | Improper Restriction of XML External Entity Reference |
| 18 | CWE-94 | Improper Control of Generation of Code ('Code Injection') |
| 19 | CWE-798 | Use of Hard-coded Credentials |
| 20 | CWE-400 | Uncontrolled Resource Consumption |
| 21 | CWE-772 | Missing Release of Resource after Effective Lifetime |
| 22 | CWE-426 | Untrusted Search Path |
| 23 | CWE-502 | Deserialization of Untrusted Data |
| 24 | CWE-269 | Improper Privilege Management |
| 25 | CWE-295 | Improper Certificate Validation |
Links: