Skip to main content
Skip table of contents

SANS CWE Coverage

Note: The legacy Mend SAST Application was deprecated on April 1st, 2025. For assistance with migrating to the Mend AppSec Platform, please contact your customer success manager or the success team at success@mend.io.

Overview

SysAdmin, Audit, Network, Security (SANS) demonstrates the currently most common and impactful software weaknesses. Often easy to find and exploit, these can lead to exploitable vulnerabilities that allow adversaries to completely take over a system, steal data, or prevent applications from working.

This article organizes Common Weakness Enumerations (CWEs) relevant to SANS.

Each row in the table below outlines a specific compliance standard, categorized by the following columns:

  1. Compliance Standard: The specific category of the standard to which the CWE is mapped.

  2. Languages: Supported programming languages.

  3. CWE-ID: The relevant CWE for this standard, along with a short description.

SANS TOP 25 CWE Coverage

#

CWE-ID

1.

  • CWE-125: Out-of-bounds Read

2.

  • CWE-1333: Inefficient Regular Expression Complexity

3.

  • CWE-15: External Control of System or Configuration Setting

4.

  • CWE-190: Integer Overflow or Wraparound

5.

  • CWE-20: Improper Input Validation

6.

  • CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

7.

  • CWE-295: Improper Certificate Validation

8.

  • CWE-400: Uncontrolled Resource Consumption

9.

  • CWE-416: Use After Free

10.

  • CWE-434: Unrestricted Upload of File with Dangerous Type

11.

  • CWE-502: Deserialization of Untrusted Data

12.

  • CWE-611: Improper Restriction of XML External Entity Reference

13.

  • CWE-787: Out-of-bounds Write

14.

  • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

15.

  • CWE-798: Use of Hard-coded Credentials

16.

  • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

17.

  • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

18.

  • CWE-918: Server-Side Request Forgery (SSRF)

19.

  • CWE-94: Improper Control of Generation of Code ('Code Injection')

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close