Udooz!

Sans Institute, the largest information security firm in association with software and security giants including Microsoft, Symantec, McAfee, published a hot 25 programming errors under three categories:

• Insecure interaction between components (9)
  
• Risky resource management (9)
  
• Porous defenses (7)
  

Insecure interaction between components

1. CWE-20: Improper Input Validation
2. CWE-116: Improper Encoding or Escaping of Output
3. CWE-89: Failure to Preserve SQL Query Structure (aka 'SQL Injection')
4. CWE-79: Failure to Preserve Web Page Structure (aka 'Cross-site Scripting')
5. CWE-78: Failure to Preserve OS Command Structure (aka 'OS Command Injection')
6. CWE-319: Cleartext Transmission of Sensitive Information
7. CWE-352: Cross-Site Request Forgery (CSRF)
8. CWE-362: Race Condition
9. CWE-209: Error Message Information Leak

Risky resource management

1. CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
2. CWE-642: External Control of Critical State Data
3. CWE-73: External Control of File Name or Path
4. CWE-426: Untrusted Search Path
5. CWE-94: Failure to Control Generation of Code (aka 'Code Injection')
6. CWE-494: Download of Code Without Integrity Check
7. CWE-404: Improper Resource Shutdown or Release
8. CWE-665: Improper Initialization
9. CWE-682: Incorrect Calculation

Porous defenses

1. CWE-285: Improper Access Control (Authorization)
2. CWE-259: Hard-Coded Password
3. CWE-732: Insecure Permission Assignment for Critical Resource
4. CWE-330: Use of Insufficiently Random Values
5. CWE-250: Execution with Unnecessary Privileges
6. CWE-602: Client-Side Enforcement of Server-Side Security

Our responsibility is to literate these top 25 errors to your colleagues, friends and follow these guidelines during your product development.

More details about the list, visit here.