On the Cusp: Other Weaknesses to Consider

On the Cusp: Other Weaknesses to Consider

The CWE/SANS Top 25 is really just a starting point for developers. Many weaknesses were considered for inclusion on the Top 25, but some did not make it to the final list. Some were not considered to be severe enough; others were not considered to be prevalent enough. Sometimes, the Top 25 reviewers themselves had mixed opinions on whether a weakness should be added to the list or not.

With respect to severity, some Top 25 users may have a significantly different threat model. For example, software uptime may be critical to consumers who operate in critical infrastructure or e-commerce environments. However, in the threat model being used by the Top 25, availability is regarded as slightly less important than integrity and confidentiality.

With respect to prevalence, some Top 25 items may not be applicable to the class of software being developed. For example, cross-site scripting is specific to the Web, although analogs exist in other technologies. In other cases, developers may have already eliminated much of the Top 25 in past efforts, so they want to look for other weaknesses that may still be present in their software.

Some on-the-cusp items were omitted because they are already indirectly covered on the Top 25, usually by a more general entry. However, these would be important to consider as individual items.

For these reasons, users of the Top 25 should seriously consider including these weaknesses in their analyses.

• CWE-400: Uncontrolled Resource Consumption (aka 'Resource Exhaustion')

  • A really big deal if 99.9% uptime is your mantra.

• CWE-252: Unchecked Return Value

  • An innocent-looking error of omission that can lead to failure of your mission.

• CWE-681: Incorrect Conversion between Numeric Types

  • Skating the borders between your language and your compiler, leaving unexpected results in its wake.

• CWE-287: Improper Authentication

  • It's not about who you know, it's about how you know who they are.

• CWE-656: Reliance on Security through Obscurity

  • Depending too much on secrecy for your security mechanisms is an invitation to fail.

• CWE-134: Uncontrolled Format String

  • Allowing attackers to specify your format strings can wreak havoc on your data and your code.

• CWE-88: Argument Injection

  • Lack of control over your command arguments, options, or switches can quickly turn "rm" into "rm -rf"

• CWE-93: CRLF Injection

  • The king of command and header separators; a slave to attackers.

• CWE-573: Failure to Follow Specification

  • There are consequences for code-slingin' renegades who don't do what their API asks of them.

• CWE-407: Algorithmic Complexity

  • Stuff you learned in college but didn't think mattered for security. Equation: 0 uptime = 0 profit = 0 jobs.

• CWE-609: Double-checked Locking

  • A subtle race condition that just doesn't seem like it should work.

• CWE-749: Exposed Dangerous Method or Function

  • When dangerous methods and functions aren't picky about who gets to call them, they could expose your software in a flash.

• CWE-131: Incorrect Calculation of Buffer Size

  • A big reason why buffer overflows never die.

• CWE-129: Unchecked Array Indexing

  • An array index may point to unexpected locations, which often means code execution or at least data corruption.

• CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')

  • Embarrassing to make, embarrassingly common.

• CWE-98: Remote File Inclusion

  • A favorite fuel for web-based worms since 2006.

• CWE-565: Use of Cookies in Security Decision

  • Trusting cookies can make your security crumble.

• CWE-470: Unsafe Reflection

  • The Reflection API is powerful, cool, and a great opportunity for attackers to call code that you don't expect.

• CWE-95: Eval Injection

  • It's dynamic code generation gone wild, except you lose more than your shirt.

• CWE-59: Link Following

  • When you let someone else tell you where to go, make sure you bring your handbasket.

• CWE-22: Path traversal

  • A popular way of breaking out of restricted directories and into the rest of the operating system.

• CWE-184: Incomplete Blacklist

  • The first step in a programmer's long road to enlightenment that good input validation can be easier said than done.

• CWE-180: Validating before Canonicalizing

  • Order of operations: lolcats might say "ur doin it rong."