SANS Institute Top 25 Software Errors

November 20, 2019

Experienced developers, cyber-security experts, ALM consultants, DevOps gurus and some other dangerous species.
SANS Institute Top 25 Software Errors

The SANS Institute has designed thousands of programs for security professionals around the world. The organization brings together seasoned security practitioners to provide information security practices along with security certification. Besides the numerous research documents, the organization is also at the heart of the Internet Storm Center (Internet’s early warning system).


The SANS Institute developed the CWE (Common Weakness Enumeration)/ SANS 25, along with MITRE, a non-profit research organization. This initiative outlines software security vulnerabilities that software developers encounter in the course of the software development lifecycle. With this list, organizations can remain vigilant on critical errors likely to have damaging effects on their software.

The CWE goes beyond vulnerability description as each entry also contains steps for mitigating various threats. Initially, MITRE had compiled the Common Vulnerabilities Exposure (CVE) list back in 1999. In the subsequent years, CVE evolved to CWE, which provided a specific categorization of weaknesses.

The CWE team released the latest version of the Top 25 list in 2019, with research results based on a data-driven approach. Along with CWE mappings from the National Institute of Standards and Technology (NIST), compilers used CVE data and a scoring system to determine the prevalence of each weakness.

The security vulnerabilities

CWE/SANS top 25 vulnerabilities include porous defenses, insecure component interactions, as well as high-risk resource management. These three categories highlight the more extrinsic weaknesses of these vulnerabilities.

1. Porous defenses

Eleven of the 25 vulnerabilities fall into this category. The integrity of application security relies on a host of defensive techniques like authorization, encryption, and authentication. These techniques, however, turn to application vulnerabilities when your security system fails to implement them correctly.

2. Insecure component interactions

Open Redirect and SQL Injection are the most common errors found in this category. Such errors exploit the networks within the system to alter different functionality with malicious code.

3. High-risk resource vulnerabilities

Risk resource vulnerabilities occur when software mismanage resources, especially in terms of memory utilization. Path traversal and buffer overflow are some of the top weaknesses in this category.

In resource management, you’ll need to identify the legitimacy of your source and ensure that the inputs serve the intended purposes. Software developers can assess vulnerabilities and perform application security testing to keep such security vulnerabilities in check.

The most prominent software errors

Take a look at some of the most prominent software errors present in the CWE/SANS top 25 list:

1. Improper input validation

The CWE-20 error highlights discrepancies in the data flow of a program. Parts of the system may receive unintended input as your app fails to validate the information. With a score of 43.61, programs that receive external data are most vulnerable to this error. Attackers exploit this error with input that an app can’t interpret. Successful attacks may either lead to arbitrary code execution or altered data flow.

Alternatively, attackers can opt for malicious input that modifies existing data. Most of these attacks target confidential data. CWE-20 has a close association with CWE-116 that deals with improper encoding or escaping of output. Apps that aren’t vulnerable to such attacks often preserve the meaning of a structured message.

2. Out-of-bounds read

The 26.53 score of CWE-125 highlights its prevalence in different apps. In this error, buffers placed in a system do not control how much data the software reads. With extended reading capabilities, attackers easily exploit different memory locations and read sensitive information like memory addresses in the process.

In the worst-case scenario, your system may crash. Buffer overflows, or segmentation faults often occur when attackers exploit this vulnerability. C and C++ software run the highest risk for this error. With appropriate input validation measures, developers should be able to mitigate against this vulnerability.

3. Improper restriction of operations within the bounds of a memory buffer

CWE-119 ranks highest in the CWE/SANS Top 25 list with a score of 75.56. Just like CWE-125, in this error, software can read information beyond the intended boundary of a buffer. The error, however, extends to writing information in such memory locations.

All an attacker does is to overwrite as little as 64 bits of memory. This step lets them deviate a function pointer towards their malicious code. These attacks compromise security-critical data and corrupt relevant memory in the process.

Successful breaches of this vulnerability allow attackers to:

  • Read sensitive information
  • Execute arbitrary code
  • Crash the system
  • Alter control flow

These consequences depend on the chip architecture, platform, and programming language that you use for app development. Developers can mitigate this vulnerability using memory management support. Such support systems ensure that buffer systems extend to the intended memory locations.

4. Information exposure

As its name suggests, CWE-200 exposes information to unauthorized individuals. Primary information exposures entail things like cryptography timing discrepancies. Resultant exposures, on the other hand, could involve scripts that lay bare a program. The severity of these exposures often depends on the information in question.

The information could be like a private message or something that helps attackers exploit a program. Developers should strive to create ‘safe’ areas within their systems. With trust boundaries around such areas, designers can offer fewer system privileges and keep this vulnerability in check.

Other software errors

Other software errors in the SANS/CWE Top 25 list include:

  • Cross-Site Request Forgery (CWE-352)
  • Improper Neutralization of Input During Web Page Generation (CWE-79)
  • SQL Injection (CWE-89)
  • Integer Overflow or Wraparound (CWE-190)
  • Improper Neutralization of Special Elements used in an OS Command (CWE-78)
  • Improper Limitation of a Pathname to a Restricted Directory (CWE-22)
  • Use After Free (CWE-416)
  • NULL Pointer Dereference (CWE-476)
  • Use of Hard-coded Credentials (CWE-798)
  • Untrusted Search Path (CWE-426)

In Conclusion

Software end-users often look for providers with secure applications. Apps that are immune to SANS/CWE Top 25 software errors fit this bill. Developers can use the list as a litmus test for their new software.

As you develop applications to meet consumer demands, consider integrating software vulnerability tests earlier in the software development lifecycle. A robust tool like SAST (Static Application Security Testing), should help you achieve this goal. The idea is to stop an attack before it takes place.

Do you want to secure your code from any vulnerabilities?

Would you like to know more about implementing secure application development solution in your company? Get in touch with our Kiuwan team! We love to talk about security.