Home
Managing application risk
Follow this workflow to manage application security risks in your organization.
Step 5: Measuring progress and demonstrating compliance
Learn how to measure progress and demonstrate compliance.
Demonstrating compliance
Learn how to demonstrate compliance.
Industry standard reports
Learn about Industry standard report.
CWE Top 25 Most Dangerous Software Weaknesses 2023 report
This report displays Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses found on your site. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

Welcome
Welcome to the HCL AppScan Enterprise 10.5.0 documentation, where you can find information about how to install, maintain, and use HCL AppScan Enterprise.
Accessibility features for AppScan® Enterprise
Accessibility features assist users who have a disability, such as restricted mobility or limited vision, to use information technology content successfully.
Overview
Learn general information about the product.
Installing
Learn how to install the product.
Upgrading and migrating
Learn how to upgrade the product.
Integrating
Learn how to integrate the product with other solutions.
DevOps
Learn how to extend the product with REST APIs and plugins.
Best practices
Learn best practices for using the product.
Configuring
Learn how to configure the product.
Administering
Learn how to administer the product.
Managing application risk
Follow this workflow to manage application security risks in your organization.
- Step 1: Creating an application inventory
  Learn how to create an application inventory.
- Step 2: Testing applications for vulnerabilities
  Learn how to test vulnerabilities identified in an application.
- Step 3: Determining risks and prioritizing vulnerabilities
  Learn how to determine risks and prioritize vulnerabilities identified in an application.
- Step 4: Remediating risks
  Learn how to remediate risks identified in an application.
- Step 5: Measuring progress and demonstrating compliance
  Learn how to measure progress and demonstrate compliance.
  - Measuring progress
    Learn how to track various metrics and trends of the applications that compose your portfolio.
  - Demonstrating compliance
    Learn how to demonstrate compliance.
    - Exporting issues as reports
      You can generate customized reports ( HTML, PDF, Excel, or XML) for issues and send them to developers, internal auditors, penetration testers, managers, and the CISO. The reporting templates in AppScan Enterprise map application security data to key government regulations and industry standards. Use the reports to document progress towards regulatory compliance goals, such as showing a reduction in the number of application vulnerabilities associated with compliance issues.
    - Limiting the size of a Security report
      Security reports can be large. During report generation, you might receive a warning message that the file is hundreds of pages long, or the report creation process might time out. Try the following tips to reduce report size.
    - Compliance Report
      Learn about Compliance report.
    - Industry standard reports
      Learn about Industry standard report.
      - International Standard ISO 27001 report
        This report displays existing web application vulnerabilities that violate this standard control objectives. The control objectives as listed in this standard are directly derived from and aligned with the control objectives listed in ISO 17799.
      - International Standard ISO 27002 report
        This report displays existing web application vulnerabilities that violate this standard control objectives. The control objectives as listed in this standard are directly derived from and aligned with the control objectives listed in ISO 17799.
      - NERC Cyber Security Standards report
        This report displays NERC Cyber Security Standards issues found on your site. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered as violations of the regulation.
      - NIST Special Publication 800-53 Revision 5 report
        This report displays National Institute of Standards and Technology (NIST) issues found on your application. Many web application vulnerabilities might lead to security breaches of personal information, directly or indirectly, and might be considered violation of the regulation.
      - OWASP Top 10 report 2021
        The OWASP Top 10 is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to your web applications.
      - OWASP API Security Top 10 report 2019
        APIs, or application program interfaces, are vital tools for businesses in all industries. Since there is a rise in use of APIs in many domains and APIs are a critical part of modern mobile, SaaS and web applications, it is inevitable to release the importance of API security and its unique vulnerabilities as compared to web applications. OWASP API Security Top 10 report help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses related to APIs.
      - OWASP API Security Top 10 report 2023
        APIs, or application program interfaces, are vital tools for businesses in all industries. Since there is a rise in use of APIs in many domains and APIs are a critical part of modern mobile, SaaS and web applications, it is inevitable to release the importance of API security and its unique vulnerabilities as compared to web applications. OWASP API Security Top 10 report help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses related to APIs.
      - CWE Top 25 Most Dangerous Software Weaknesses 2023 report
        This report displays Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses found on your site. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.
      - WASC Threat Classification v2.0 report
        This report displays WASC threat classification issues found on your site.
Troubleshooting and support
To help you understand, isolate, and resolve problems with your HCL® software, the troubleshooting and support information contains instructions for using the problem-determination resources that are provided with your HCL products.
Reference
Review reference information for the product.
Glossary

CWE Top 25 Most Dangerous Software Weaknesses 2023 report

This report displays Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses found on your site. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

Why it matters

The CWE Top 25 Most Dangerous Software Weaknesses report is a list of the most significant programming errors that can lead to serious software vulnerabilities. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.

Table 1. Listing of the weaknesses in the 2023 CWE Top 25
Rank	ID	Name
1	CWE-787	Out-of-bounds Write
2	CWE-79	Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
3	CWE-89	Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
4	CWE-416	Use After Free
5	CWE-78	Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
6	CWE-20	Improper Input Validation
7	CWE-125	Out-of-bounds Read
8	CWE-22	Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
9	CWE-352	Cross-Site Request Forgery (CSRF)
10	CWE-434	Unrestricted Upload of File with Dangerous Type
11	CWE-862	Missing Authorization
12	CWE-476	NULL Pointer Dereference
13	CWE-287	Improper Authentication
14	CWE-190	Integer Overflow or Wraparound
15	CWE-502	Deserialization of Untrusted Data
16	CWE-77	Improper Neutralization of Special Elements used in a Command ('Command Injection')
17	CWE-119	Improper Restriction of Operations within the Bounds of a Memory Buffer
18	CWE-798	Use of Hard-coded Credentials
19	CWE-918	Server-Side Request Forgery (SSRF)
20	CWE-306	Missing Authentication for Critical Function
21	CWE-362	Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
22	CWE-269	Improper Privilege Management
23	CWE-94	Improper Control of Generation of Code ('Code Injection')
24	CWE-863	Incorrect Authorization
25	CWE-276	Incorrect Default Permissions