Common Weakness Enumeration

A Community-Developed List of Software Weakness Types

CWE/SANS Top 25 Most Dangerous Software Errors
Home > CWE/SANS Top 25 > On the Cusp: Other Weaknesses to Consider  

On the Cusp: Weaknesses that Did Not Make the 2010 Top 25

The Top 25 was selected using a voting process in which participants evaluated a Nominee List of 41 weaknesses. From this list, the final Top 25 was selected based on a combination of prevalence and importance, as evaluated by participants.

This leaves 16 "On the Cusp" weaknesses from the Nominee List that did not make it into the final Top 25. This could be due to one or more of the following reasons:

  • Not prevalent enough
  • Not important enough
  • Not enough votes (implying limited prevalence/importance)

The CWE/SANS Top 25 is really just a starting point for developers. Many weaknesses were considered for inclusion on the Top 25, but some did not make it to the final list. Some were not considered to be important enough; others were not considered to be prevalent enough. Sometimes, the Top 25 reviewers themselves had mixed opinions on whether a weakness should be added to the list or not.

With respect to prevalence, some Top 25 items may not be applicable to the class of software being developed. For example, cross-site scripting is specific to the Web, although analogs exist in other technologies. In other cases, developers may have already eliminated much of the Top 25 in past efforts, so they want to look for other weaknesses that may still be present in their software.

Some on-the-cusp items were omitted because they are already indirectly covered on the Top 25, usually by a more general entry or a monster mitigation. However, these would be important to consider as individual items.

RankScoreCWE Entry
[26]136CWE-749: Exposed Dangerous Method or Function
Just 2 points from the Top 25, possibly on the rise.
[27]129CWE-307: Improper Restriction of Excessive Authentication Attempts
Possibly squeezed off the Top 25 by cousins such as missing authentication.
[28]125CWE-212: Improper Cross-boundary Removal of Sensitive Data
Important when privacy is a main concern.
[29]124CWE-330: Use of Insufficiently Random Values
Not always security-relevant, but still dangerous if it is.
[30]120CWE-59: Improper Link Resolution Before File Access ('Link Following')
A burst in CVE statistics in 2008 shows that these can still be prevalent if focused attention is paid to them.
120CWE-134: Uncontrolled Format String
Usually easily findable, and code execution possibilities have been reduced due to compiler changes, e.g. removal of support for "%n" sequences.
[32]119CWE-476: NULL Pointer Dereference
Typically cause a denial of service in C/C++ but, for certain Linux kernels and possibly other environments, exploitable for code execution.
119CWE-681: Incorrect Conversion between Numeric Types
May be on the rise in future years, especially in transitions from 32-bit to 64-bit architectures.
[34]118CWE-426: Untrusted Search Path
Prevalence is uncertain.
[35]116CWE-454: External Initialization of Trusted Variables or Data Stores
High prevalence in PHP environments with register_globals enabled, or by programmers who are not familiar with the effectiveness of reverse engineering, or the many ways that inputs can be modified.
[36]114CWE-416: Use After Free
Likely on the rise in future years.
114CWE-772: Missing Release of Resource after Effective Lifetime
Important when prevention of denial of service is critical.
[38]106CWE-799: Improper Control of Interaction Frequency
Important when prevention of denial of service is critical. Also a critical component of brute force attacks against security features.
[39]100CWE-456: Missing Initialization
Not always security-relevant; also, easily findable and fixable with modern compilers and code scanners.
[40]91CWE-672: Operation on a Resource after Expiration or Release
Sometimes catchable by the compiler, but may increase in future years.
[41]77CWE-804: Guessable CAPTCHA
Not very prevalent since the use of CAPTCHA is not very prevalent, and importance is generally less than that of other security features such as encryption and authentication.

More information is available — Please select a different filter.
Page Last Updated: January 12, 2017