The Top 25 Most Dangerous Software Errors, often referred to as the CWE (Common Weakness Enumeration) Top 25, is a list compiled by security experts to highlight the most critical and prevalent vulnerabilities in software development. These errors can lead to serious security issues, including unauthorized access, data breaches, and system compromises.
Here is the CWE Top 25 (2024 update), based on their severity, exploitability, impact and countermeasures an :
CWE ID | Name | Countermeasures and Mitigations |
CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | Escape special characters, validate inputs, and use a Content Security Policy (CSP). |
CWE-787 | Out-of-bounds Write | Perform bounds checking, use memory-safe languages, and employ static analysis tools. |
CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | Use parameterized queries, prepared statements, and ORM frameworks. |
CWE-352 | Cross-Site Request Forgery (CSRF) | Use anti-CSRF tokens, validate request origins, and implement same-site cookies. |
CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | Sanitize file paths, validate user inputs, and enforce directory traversal protections. |
CWE-125 | Out-of-bounds Read | Perform bounds checking and handle exceptions properly. |
CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | Validate inputs, use secure APIs for command execution, and escape special characters. |
CWE-416 | Use After Free | Implement robust memory management practices to avoid dangling pointers. |
CWE-862 | Missing Authorization | Enforce role-based access control (RBAC) and validate permissions. |
CWE-434 | Unrestricted Upload of File with Dangerous Type | Validate file uploads, restrict allowed file types, and use secure storage. |
CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | Validate and sanitize inputs before code generation. |
CWE-20 | Improper Input Validation | Use strict input validation techniques and reject malformed data. |
CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | Escape special characters and validate command inputs thoroughly. |
CWE-287 | Improper Authentication | Enforce strong authentication mechanisms like multi-factor authentication (MFA). |
CWE-269 | Improper Privilege Management | Adhere to the principle of least privilege and enforce privilege separation. |
CWE-502 | Deserialization of Untrusted Data | Sanitize and validate all serialized data inputs. |
CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | Implement secure data handling practices and enforce data access policies. |
CWE-863 | Incorrect Authorization | Validate permissions for all critical resources and enforce access control policies. |
CWE-918 | Server-Side Request Forgery (SSRF) | Validate and restrict external resource access requests. |
CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | Use memory-safe languages and ensure robust buffer management. |
CWE-476 | NULL Pointer Dereference | Check for null references before dereferencing pointers. |
CWE-798 | Use of Hard-coded Credentials | Avoid using hard-coded credentials and implement secure storage solutions. |
CWE-190 | Integer Overflow or Wraparound | Validate arithmetic operations to prevent overflows or wraparounds. |
CWE-400 | Uncontrolled Resource Consumption | Monitor and limit resource consumption to prevent denial-of-service (DoS) attacks. |
CWE-306 | Missing Authentication for Critical Function | Enforce authentication for all critical functions. |
Reference : https://cwe.mitre.org/