Most Dangerous Programming Errors
Here are the top 25 most dangerous programming errors divided into three categories:
Insecure Interaction Between Components
- Improper Input Validation
- Improper Encoding or Escaping of Output
- Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
- Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
- Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
- Cleartext Transmission of Sensitive Information
- Cross-Site Request Forgery (CSRF)
- Race Condition
- Error Message Information Leak
Risky Resource Management
- Failure to Constrain Operations within the Bounds of a Memory Buffer
- External Control of Critical State Data
- External Control of File Name or Path
- Untrusted Search Path
- Failure to Control Generation of Code (aka ‘Code Injection’)
- Download of Code Without Integrity Check
- Improper Resource Shutdown or Release
- Improper Initialization
- Incorrect Calculation
Porous Defenses
- Improper Access Control (Authorization)
- Use of a Broken or Risky Cryptographic Algorithm
- Hard-Coded Password
- Insecure Permission Assignment for Critical Resource
- Use of Insufficiently Random Values
- Execution with Unnecessary Privileges
- Client-Side Enforcement of Server-Side Security
Read about these errors in detail at the SANS Institute.