Common Weakness Enumeration

A community-developed list of SW & HW weaknesses that can become vulnerabilities

New to CWE? click here!
CWE Most Important Hardware Weaknesses
CWE Top 25 Most Dangerous Weaknesses
Home > CWE Top 25 > On the Cusp: Other Weaknesses to Consider  

On the Cusp: Other Weaknesses to Consider

The 2011 CWE/SANS Top 25 is really just a starting point for developers. Many weaknesses were considered for inclusion on the Top 25, but some did not make it to the final list. Some were not considered to be severe enough; others were not considered to be prevalent enough; others were not exploited often. Sometimes, the Top 25 reviewers themselves had mixed opinions on whether a weakness should be added to the list or not.

With respect to severity, some Top 25 users may have a significantly different threat model. For example, software uptime may be critical to consumers who operate in critical infrastructure or e-commerce environments. However, in the threat model being used by the Top 25, availability is regarded as slightly less important than integrity and confidentiality.

With respect to prevalence, some Top 25 items may not be applicable to the class of software being developed. For example, cross-site scripting is specific to the Web, although analogs exist in other technologies. In other cases, developers may have already eliminated much of the Top 25 in past efforts, so they want to look for other weaknesses that may still be present in their software.

Some on-the-cusp items were omitted because they are already indirectly covered on the Top 25, usually by a more general entry. However, these would be important to consider as individual items.

For these reasons, users of the Top 25 should seriously consider including these weaknesses in their analyses.

    • [26] CWE-770: Allocation of Resources Without Limits or Throttling
    • [27] CWE-129: Improper Validation of Array Index
    • [28] CWE-754: Improper Check for Unusual or Exceptional Conditions
    • [29] CWE-805: Buffer Access with Incorrect Length Value
    • [30] CWE-838: Inappropriate Encoding for Output Context
    • [31] CWE-330: Use of Insufficiently Random Values
    • [32] CWE-822: Untrusted Pointer Dereference
    • [33] CWE-362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
    • [34] CWE-212: Improper Cross-boundary Removal of Sensitive Data
    • [35] CWE-681: Incorrect Conversion between Numeric Types
    • [36] CWE-476: NULL Pointer Dereference
    • [37] CWE-841: Improper Enforcement of Behavioral Workflow
    • [38] CWE-772: Missing Release of Resource after Effective Lifetime
    • [39] CWE-209: Information Exposure Through an Error Message
    • [40] CWE-825: Expired Pointer Dereference
    • [41] CWE-456: Missing Initialization
Page Last Updated: June 27, 2011