Ilias Tsagklis

About Ilias Tsagklis

Ilias Tsagklis is a senior software engineer working in the telecom domain. He is an applications developer in a wide variety of applications/services. Ilias is co-founder and Executive Editor at Java Code Geeks.

Top 25 Most Dangerous Software Errors – 2011

The Common Weakness Enumeration (CWE) is a community developed dictionary for software weaknesses. It provides a unified, measurable set of software weaknesses that is enabling more effective discussion, description, selection, and use of software security tools and services that can find these weaknesses in source code and operational systems as well as better understanding and management of software weaknesses related to architecture and design.

They have released the “2011 CWE/SANS Top 25 Most Dangerous Software Errors” list, a list of the most widespread and critical errors that can lead to serious vulnerabilities in software. They are often easy to find, and easy to exploit. They are dangerous because they will frequently allow attackers to completely take over the software, steal data, or prevent the software from working at all.

The list is a must-read for all software developers, be it web developers, enterprise or whatever. Security is often neglected when developing software and this effort is a nice reminder that there are people out there trying to find holes and vulnerabilities in our software.

I am reposting the “Brief Listing of the Top 25″ below for your quick reference:

  1. Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  2. Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  3. Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  4. Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
  5. Missing Authentication for Critical Function
  6. Missing Authorization
  7. Use of Hard-coded Credentials
  8. Missing Encryption of Sensitive Data
  9. Unrestricted Upload of File with Dangerous Type
  10. Reliance on Untrusted Inputs in a Security Decision
  11. Execution with Unnecessary Privileges
  12. Cross-Site Request Forgery (CSRF)
  13. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  14. Download of Code Without Integrity Check
  15. Incorrect Authorization
  16. Inclusion of Functionality from Untrusted Control Sphere
  17. Incorrect Permission Assignment for Critical Resource
  18. Use of Potentially Dangerous Function
  19. Use of a Broken or Risky Cryptographic Algorithm
  20. Incorrect Calculation of Buffer Size
  21. Improper Restriction of Excessive Authentication Attempts
  22. URL Redirection to Untrusted Site (‘Open Redirect’)
  23. Uncontrolled Format String
  24. Integer Overflow or Wraparound
  25. Use of a One-Way Hash without a Salt

SQL Injection is the number one, no surprise there. There are also some other classic errors, like Buffer Overflow, Cross-site Scripting, Use of Hashes without Salt etc.

I hope that at least some errors will be prevented after reading this list. So, don’t forget to share!

Related Articles :

Do you want to know how to develop your skillset to become a Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

JPA Mini Book

Learn how to leverage the power of JPA in order to create robust and flexible Java applications. With this Mini Book, you will get introduced to JPA and smoothly transition to more advanced concepts.

JVM Troubleshooting Guide

The Java virtual machine is really the foundation of any Java EE platform. Learn how to master it with this advanced guide!

Given email address is already subscribed, thank you!
Oops. Something went wrong. Please try again later.
Please provide a valid email address.
Thank you, your sign-up request was successful! Please check your e-mail inbox.
Please complete the CAPTCHA.
Please fill in the required fields.

Leave a Reply


5 − = one



Java Code Geeks and all content copyright © 2010-2014, Exelixis Media Ltd | Terms of Use | Privacy Policy | Contact
All trademarks and registered trademarks appearing on Java Code Geeks are the property of their respective owners.
Java is a trademark or registered trademark of Oracle Corporation in the United States and other countries.
Java Code Geeks is not connected to Oracle Corporation and is not sponsored by Oracle Corporation.
Do you want to know how to develop your skillset and become a ...
Java Rockstar?

Subscribe to our newsletter to start Rocking right now!

To get you started we give you two of our best selling eBooks for FREE!

Get ready to Rock!
You can download the complementary eBooks using the links below:
Close