一年一度的CWE TOP 25又更新了,今年的CWE TOP 25进行了重大改进,抛弃了2009版中的按照“弱点”分组、无排名先后顺序的组织方式,引入了新的“票选”机制,引入排名,去除了大量过于抽象的CWE编目,强调可操作性和安全改进建议的一致性、细节和可理解性等。
2010版CWE TOP 25排名表格
Rank Score CWE-ID Name
[1] 346 CWE-79 Failure to Preserve Web Page Structure (‘Cross-site Scripting’)
[2] 330 CWE-89 Improper Sanitization of Special Elements used in an SQL Command (‘SQL Injection’)
[3] 273 CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’)
[4] 261 CWE-352 Cross-Site Request Forgery (CSRF)
[5] 219 CWE-285 Improper Access Control (Authorization)
[6] 202 CWE-807 Reliance on Untrusted Inputs in a Security Decision
[7] 197 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
[8] 194 CWE-434 Unrestricted Upload of File with Dangerous Type
[9] 188 CWE-78 Improper Sanitization of Special Elements used in an OS Command (‘OS Command Injection’)
[10] 188 CWE-311 Missing Encryption of Sensitive Data
[11] 176 CWE-798 Use of Hard-coded Credentials
[12] 158 CWE-805 Buffer Access with Incorrect Length Value
[13] 157 CWE-98 Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP File Inclusion’)
[14] 156 CWE-129 Improper Validation of Array Index
[15] 155 CWE-754 Improper Check for Unusual or Exceptional Conditions
[16] 154 CWE-209 Information Exposure Through an Error Message
[17] 154 CWE-190 Integer Overflow or Wraparound
[18] 153 CWE-131 Incorrect Calculation of Buffer Size
[19] 147 CWE-306 Missing Authentication for Critical Function
[20] 146 CWE-494 Download of Code Without Integrity Check
[21] 145 CWE-732 Incorrect Permission Assignment for Critical Resource
[22] 145 CWE-770 Allocation of Resources Without Limits or Throttling
[23] 142 CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’)
[24] 141 CWE-327 Use of a Broken or Risky Cryptographic Algorithm
[25] 138 CWE-362 Race Condition
2009版CWE TOP 25的思维导图
点击看大图
2010版CWE TOP 25相比2009版的主要改动
2009 2010
CWE-20 high-level root cause; now covered in Monster Mitigations
CWE-116 high-level root cause; now covered in Monster Mitigations
CWE-602 high-level root cause; now covered in Monster Mitigations
CWE-250 high-level root cause; now covered in Monster Mitigations
CWE-119 high-level class; replaced with lower-level CWE-120, CWE-129, CWE-131, and CWE-805
CWE-259 Replaced with higher-level CWE-798
CWE-73 high-level root cause; now covered in Monster Mitigations
CWE-642 high-level root cause; now covered in Monster Mitigations
CWE-94 high-level; CWE name and description also caused improper interpretation of the types of issues it intended to cover.
CWE-404 high-level; replaced by children CWE-772 and CWE-672
CWE-682 high-level; replaced by children CWE-131 and CWE-190
CWE-319 replaced with its parent, CWE-311
参考文献
[1]http://cwe.mitre.org/top25/pdf/2009_cwe_sans_top_25.pdf
[2]http://cwe.mitre.org/top25/archive/2010/2010_cwe_sans_top25.pdf
