From BBC News:

The US National Security Agency has helped put together a list of the world’s most dangerous coding mistakes.

The 25 entry list contains errors that can lead to security holes or vulnerable areas that can be targeted by cyber criminals.

Experts say many of these errors are not well understood by programmers.

According to the SANS Institute in Maryland, just two of the
errors led to more than 1.5m web site security breaches during 2008.

It is thought that this is the first time the
industry has reached agreement on the worst things that can creep into
software as it is being written.

More than 30 organizations, including the US National Security
Agency, the Department of Homeland Security, Microsoft, and Symantec
published the document.

So here’s the list:

  • CWE-20:Improper Input Validation
  • CWE-116:Improper Encoding or Escaping of Output
  • CWE-89:Failure to Preserve SQL Query Structure
  • CWE-79:Failure to Preserve Web Page Structure
  • CWE-78:Failure to Preserve OS Command Structure
  • CWE-319:Cleartext Transmission of Sensitive Information
  • CWE-352:Cross-Site Request Forgery
  • CWE-362:Race Condition
  • CWE-209:Error Message Information Leak
  • CWE-119:Failure to Constrain Operations within the Bounds of a Memory Buffer
  • CWE-642:External Control of Critical State Data
  • CWE-73:External Control of File Name or Path
  • CWE-426:Untrusted Search Path
  • CWE-94:Failure to Control Generation of Code
  • CWE-494:Download of Code Without Integrity Check
  • CWE-404:Improper Resource Shutdown or Release
  • CWE-665:Improper Initialization
  • CWE-682:Incorrect Calculation
  • CWE-285:Improper Access Control
  • CWE-327:Use of a Broken or Risky Cryptographic Algorithm
  • CWE-259:Hard-Coded Password
  • CWE-732:Insecure Permission Assignment for Critical Resource
  • CWE-330:Use of Insufficiently Random Values
  • CWE-250:Execution with Unnecessary Privileges
  • CWE-602:Client-Side Enforcement of Server-Side Security
Source: SANS Institute