This section sorts the entries into the three high-level categories that were used in the 2009 Top 25:
Insecure Interaction Between Components
Risky Resource Management
The Top 25 Vulnerability are listed below in three categories:
Software Vulnerability Category: Insecure Interaction Between Components (6 errors)
Software Vulnerability Category: Risky Resource Management (8 errors)
Software Vulnerability Category: Porous Defenses (11 errors)
Insecure Interaction Between Components:
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.
The Top 6 software insecurities, with links.
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)
CWE-78 Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)
CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)
CWE-434 Unrestricted Upload of File with Dangerous Type
CWE-352 Cross-Site Request Forgery (CSRF)
CWE-601 URL Redirection to Untrusted Site (Open Redirect)
Risky Resource Management:
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.
The Top 8 software insecurities, with links.
CWE-120 Buffer Copy without Checking Size of Input (Classic Buffer Overflow)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)
CWE-494 Download of Code Without Integrity Check
CWE-829 Inclusion of Functionality from Untrusted Control Sphere
CWE-676 Use of Potentially Dangerous Function
CWE-131 Incorrect Calculation of Buffer Size
CWE-134 Uncontrolled Format String
CWE-190 Integer Overflow or Wraparound
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.
The Top 11 software insecurities, with links.
CWE-306 Missing Authentication for Critical Function
CWE-862 Missing Authorization
CWE-798 Use of Hard-coded Credentials
CWE-311 Missing Encryption of Sensitive Data
CWE-807 Reliance on Untrusted Inputs in a Security Decision
CWE-250 Execution with Unnecessary Privileges
CWE-863 Incorrect Authorization
CWE-732 Incorrect Permission Assignment for Critical Resource
CWE-327 Use of a Broken or Risky Cryptographic Algorithm
CWE-307 Improper Restriction of Excessive Authentication Attempts
CWE-759 Use of a One-Way Hash without a Salt