The 2010 CWE (Common Weakness Enumeration) / SANS Top 25 Most Dangerous Programming Errors has been released. The full report should be required reading for all web programmers and testers. A pdf version is also available.

Here are the 25 items:

  1. Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
  2. Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)
  3. Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
  4. Cross-Site Request Forgery (CSRF)
  5. Improper Access Control (Authorization)
  6. Reliance on Untrusted Inputs in a Security Decision
  7. Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  8. Unrestricted Upload of File with Dangerous Type
  9. Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)
  10. Missing Encryption of Sensitive Data
  11. Use of Hard-coded Credentials
  12. Buffer Access with Incorrect Length Value
  13. Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)
  14. Improper Validation of Array Index
  15. Improper Check for Unusual or Exceptional Conditions
  16. Information Exposure Through an Error Message
  17. Integer Overflow or Wraparound
  18. Incorrect Calculation of Buffer Size
  19. Missing Authentication for Critical Function
  20. Download of Code Without Integrity Check
  21. Incorrect Permission Assignment for Critical Resource
  22. Allocation of Resources Without Limits or Throttling
  23. URL Redirection to Untrusted Site (‘Open Redirect’)
  24. Use of a Broken or Risky Cryptographic Algorithm
  25. Race Condition