The list is broken down into three major categories as follows: Insecure interaction between components, Risky resource management and Porous Defenses. The entire list of programming errors is comprised of:
2. Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')
3. Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
4. Cross-Site Request Forgery (CSRF)
5. Improper Access Control (Authorization)
6. Reliance on Untrusted Inputs in a Security Decision
7. Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
8. Unrestricted Upload of File with Dangerous Type
9. Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')
10. Missing Encryption of Sensitive Data
11. Use of Hard-coded Credentials
12. Buffer Access with Incorrect Length Value
13. Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')
14. Improper Validation of Array Index
15. Improper Check for Unusual or Exceptional Conditions
16. Information Exposure Through an Error Message
17. Integer Overflow or Wraparound
18. Incorrect Calculation of Buffer Size
19. Missing Authentication for Critical Function
20. Download of Code Without Integrity Check
21. Incorrect Permission Assignment for Critical Resource
22. Allocation of Resources Without Limits or Throttling
23. URL Redirection to Untrusted Site ('Open Redirect')
24. Use of a Broken or Risky Cryptographic Algorithm
25. Race Condition.
The list was voted during a period of ten days by representatives of various organizations, the votes being cast for a vast category of metrics, the most important being critical importance and widespread prevalence. To avoid organizations being biased to one or more errors, only one vote per organization was allowed. The nominees list was then sorted based on the aggregate scores received by each error.
The authors didn't limit themselves to only listing these errors but went on record and encouraged customers to insert special security and application anti-hacking protection clauses in future contracts, providing a draft for those interested. The researchers' conclusions tend to blame in equal part the developers and IT educational institutes.
While few IT and programming courses really tackle the subject of product and code security, the main problem to the recent recorded hacks remains the programmer's reduced security knowledge base. The MITRE report tries to offer a solution by encouraging customers to contractually force either employees and freelancers into foul-proofing their code.
“As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you,” says the MITRE report. “Use the Top 25 to help set minimum expectations for due care by software vendors. Consider using the Top 25 as part of contract language during the software acquisition process.”
The complete report, with technical details, code samples, detection methods, references and interpretation guidance can be found on the MITRE page or the SANS Institute page.