The MITRE Corporation this week published an updated list of the most dangerous software weaknesses and vulnerabilities.
Known as the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors (CWE Top 25), the new list has been created based on real-world vulnerabilities found in the NVD (National Vulnerability Database).
This approach represents a major shift from the 2011 CWE Top 25, which was constructed using surveys and personal interviews with developers, top security analysts, researchers, and vendors.
CWE has over 600 categories and the aforementioned change in approach has resulted in new sets of weaknesses making it to the 2019 CWE Top 25.
One of the most notable changes is the inclusion of some class level CWEs that represent broad types of errors, namely CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer), CWE-20 (Improper Input Validation), CWE-200 (Information Exposure) and CWE-287 (Improper Authentication).
The entries, the CWE team explains, were prevalent in the data-driven analysis of NVD, mainly because vendors and researchers often use them to describe the root cause of a vulnerability being reported.
“Looking closer, however, these high-level weaknesses are often the parent of more detailed weaknesses that appeared in previous Top 25 lists,” the team explains.
Thus, CWE-119 is at the top of the new list, although CWE-120, its child, did not make it to Top 25 (but was #3 in the 2011 list). On the other hand, CWE-287, which is #13 in 2019 but did not appear in 2011, is parent of CWE-306, CWE-862, and CWE-863, which were #5, #6, and #15 in 2011 but are not on the 2019 list.
“Another interesting change is that some weaknesses in the 2019 list are reported at a different place within a potential chain of weaknesses. For example, CWE-787 (Out-of-bounds Write) did not appear in the 2011 list but is #12 in 2019. CWE-787 is often part of a chain that starts with CWE-120, which was #3 in 2011,” the CWE team explains.
Other notable changes to the new list represent the inclusion of CWE-125 (Out-of-bounds Read) as #5; CWE-417 (Use After-Free), CWE-611 (Improper Restriction of XML External Entity Reference), and CWE-502 (Deserialization of Untrusted Data) appear at #7, #17, and #23 respectively; and CWE-476 (NULL Pointer Dereference) appears at #14 and not at all in the 2011 Top 25.
CWE-20 and CWE-200 (#3 and #4, respectively), which are class level weaknesses and well-known secure coding problem areas, likely made it high on the list because there are “potentially instances when these entries are used for mapping vulnerabilities to CWE when more specific, lower-level weakness types might be more appropriate,” the CWE team also notes.
The CWE Top 25 also includes weaknesses and vulnerabilities such as Cross-Site Scripting (XSS), SQL Injection, Cross-Site Request Forgery (CSRF), Path Traversal, OS Command Injection, Improper Authentication, Code Injection, Use of Hard-coded Credentials, and Incorrect Permission Assignment for Critical Resource, among others.
Related: Stop Using CVSS to Score Risk
Related: Risk-Based Vulnerability Management is a Must for Security & Compliance