The SANS top 25 software errors lists the most dangerous errors in software development. Like the OWASP top ten, it provides a head-start to developers.
The SANS top 25 is groups into three major categories – insecure interaction between components, risky resource management and porous defences. It’s a more granular list than the OWASP top ten but is also an older list.
Insecure Interaction Between Components
- Improper Neutralisation of special elements in a SQL command
- Improper Neutralisation of special elements in an OS command
- Improper Neutralisation of input during Web Page Generation
- Unrestricted upload of file with dangerous type
- Cross-site request forgery
- URL redirection to untrusted site
Risky Resource Management
- Buffer Copy without checking size of input
- Improper Limitation of a pathname to a restricted directory
- Download of code without integrity check
- Inclusion of functionality from untrusted control sphere
- Use of potentially dangerous function
- Incorrect calculation of buffer size
- Uncontrolled format string
- Integer overflow or wraparound
Porous defences
- Missing Authentication for critical function
- Missing Authorisation
- Use of hard-coded credentials
- Missing encryption of sensitive data
- Reliance on untrusted inputs in a security decision
- Execution with unnecessary privileges
- Incorrect Authorisation
- Incorrect Permission Assignment for critical resource
- Use of broken or risky cryptographic algorythm
- Improper restriction of excessive authentication attempts
- Use of a one-way hash without a salt