Top 25 software errors

The SANS top 25 software errors lists the most dangerous errors in software development. Like the OWASP top ten, it provides a head-start to developers.

The SANS top 25 is groups into three major categories – insecure interaction between components, risky resource management and porous defences.  It’s a more granular list than the OWASP top ten but is also an older list.

Insecure Interaction Between Components

  1. Improper Neutralisation of special elements in a SQL command
  2. Improper Neutralisation of special elements in an OS command
  3. Improper Neutralisation of input during Web Page Generation
  4. Unrestricted upload of file with dangerous type
  5. Cross-site request forgery
  6. URL redirection to untrusted site


Risky Resource Management

  1. Buffer Copy without checking size of input
  2. Improper Limitation of a pathname to a restricted directory
  3. Download of code without integrity check
  4. Inclusion of functionality from untrusted control sphere
  5. Use of potentially dangerous function
  6. Incorrect calculation of buffer size
  7. Uncontrolled format string
  8. Integer overflow or wraparound


Porous defences

  1. Missing Authentication for critical function
  2. Missing Authorisation
  3. Use of hard-coded credentials
  4. Missing encryption of sensitive data
  5. Reliance on untrusted inputs in a security decision
  6. Execution with unnecessary privileges
  7. Incorrect Authorisation
  8. Incorrect Permission Assignment for critical resource
  9. Use of broken or risky cryptographic algorythm
  10. Improper restriction of excessive authentication attempts
  11. Use of a one-way hash without a salt




Discover Brand:fire

Get an independent view of your cyber security.

Download brochure or Contact Us