The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list of the most significant programming errors that can lead to serious software vulnerabilities. It is compiled by the SANS Institute, MITRE, and top software security experts in the US and Europe.

Existing CERT Java guidelines reference relevant Common Weakness Enumeration (CWE) IDs via

{doc:/display/DOC/Working+with Labels Overview}labels{doc}

. The tables on this page identify the appropriate secure coding guidelines for the Java language that must be enforced to mitigate against each CWE in the Top 25 Most Dangerous Programming Errors. There are some cases where there are no corresponding guidelines, either because the described issue is beyond the scope of these secure coding standards, or it applies to a different programming language, or because it addresses other elements of secure programming that cannot be adequately addressed by a secure coding standard.

 

Insecure Interaction Between Components

These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.

CWE

CERT Java Guidelines

CWE-79: Failure to Preserve Web Page Structure ('Cross-site Scripting')

CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')

CWE-352: Cross-Site Request Forgery (CSRF)

n/a

CWE-434: Unrestricted Upload of File with Dangerous Type

n/a

CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')

CWE-209: Error Message Information Leak

CWE-601: URL Redirection to Untrusted Site ('Open Redirect')

n/a

CWE-362: Race Condition

Risky Resource Management

The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

CWE

CERT Java Guidelines

CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

n/a

CWE-22: Improper Limitation of a Path name to a Restricted Directory ('Path Traversal')

n/a

CWE-98: Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')

n/a

CWE-805: Buffer Access with Incorrect Length Value

n/a

CWE-754: Improper Check for Unusual or Exceptional Conditions

CWE-129: Improper Validation of Array Index

n/a

CWE-190: Integer Overflow or Wraparound

CWE-131: Incorrect Calculation of Buffer Size

n/a

CWE-494: Download of Code Without Integrity Check

CWE-770: Allocation of Resources Without Limits or Throttling

Porous Defenses

The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.

CWE

CERT Java Guidelines

CWE-285: Improper Access Control (Authorization)

CWE-807: Reliance on Untrusted Inputs in a Security Decision

CWE-311: Missing Encryption of Sensitive Data

CWE-798: Use of Hard-coded Credentials

CWE-306: Missing Authentication for Critical Function

CWE-732: Insecure Permission Assignment for Critical Resource

CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Other Languages

A mapping between the CERT C Secure Coding Standard and VOID 2010 CWE SANS Top 25 Most Dangerous Programming Errors is available.

A mapping between the CERT C++ Secure Coding Standard and VOID 2010 CWE SANS Top 25 Most Dangerous Programming Errors is available.

References

2010 CWE/SANS Top 25 Most Dangerous Programming Errors
Common Weakness Enumeration