Top 25 most dangerous software errors CWE / SANS

• CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
• CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
• CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
• CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
• CWE-306 Missing Authentication for Critical Function
• CWE-862 Missing Authorization
• CWE-798 Use of Hard-coded Credentials
• CWE-311 Missing Encryption of Sensitive Data
• CWE-434 Unrestricted Upload of File with Dangerous Type
• CWE-807 Reliance on Untrusted Inputs in a Security Decision
• CWE-250 Execution with Unnecessary Privileges
• CWE-352 Cross-Site Request Forgery (CSRF)
• CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
• CWE-494 Download of Code Without Integrity Check
• CWE-863 Incorrect Authorization
• CWE-829 Inclusion of Functionality from Untrusted Control Sphere
• CWE-732 Incorrect Permission Assignment for Critical Resource
• CWE-676 Use of Potentially Dangerous Function
• CWE-327 Use of a Broken or Risky Cryptographic Algorithm
• CWE-131 Incorrect Calculation of Buffer Size
• CWE-307 Improper Restriction of Excessive Authentication Attempts
• CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
• CWE-134 Uncontrolled Format String
• CWE-190 Integer Overflow or Wraparound
• CWE-759 Use of a One-Way Hash without a Salt

Top 10 most critical security risks for web-applications according to OWASP

• A1 Injection
• A2 Broken Authentication
• A3 Sensitive Data Exposure
• A4 XML External Entities (XXE)
• A5 Broken Access Control
• A6 Security Misconfiguration
• A7 Cross-Site Scripting (XSS)
• A8 Insecure Deserialization
• A9 Using Components with Known Vulnerabilities
• A10 Insufficient Logging & Monitoring