A look into MITRE’s 2021 CWE Top 25 Most Dangerous Software Weaknesses
MITRE’s 2021 Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a list of the most common software issues that can be and are exploited by cyber adversaries. The list is compiled from NIST’s NVD database and the CVSS scores for each CVE, with a formula applied to score each weakness based on prevalence and severity.
The result is a list of 25 software weaknesses from ‘Out-of-bounds Write’ (#1, with a score of 65.93) to ‘Improper Neutralization of Special Elements used in a Command (‘Command Injection’)’ (#25, with a score of 3.58).
In a separate statement published online, CISA comments, “An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. CISA encourages users and administrators to review the Top 25 list and evaluate recommended mitigations to determine those most suitable to adopt.”
Each entry in the CWE list contains the CWE number and a link to the full entry in MITRE’s CWE database. The full entry contains items such as a description, relationship to other weaknesses, known CVEs exploiting the weakness, and the potential mitigations that CISA recommends should be evaluated.
In its own analysis of the CWE list, MITRE notes “the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses” as the major difference from earlier lists. Base-level CWEs have increased from ~60% to ~71% of all Top 25 entries, while Class-level CWEs have decreased from ~30% to ~20% of entries.
MITRE suggests the cause for this movement may have been the success of its earlier Lists. Base-level weaknesses are harder to handle than implementation-specific weaknesses. The idea is that the community has improved its capabilities in the latter area, lowering their ranking and raising the ranking of the more difficult weaknesses. The danger here is that where an organization has not improved its mitigation for class-level weaknesses, it may be lulled into thinking they are no longer so relevant.
There is some question over the absolute validity of the weakness rankings due to potential biases in the ranking methodology. This is something MITRE readily accepts and even describes alongside the list publication.
There is a potential data bias. The list only uses data publicly reported and captured in the NVD; it is not always easy to accurately map CWEs to specific CVEs; and there is an inherent bias in the CVE/NVD dataset caused by the set of vendors that most commonly report vulnerabilities, and – for example – their primary programming language. Finally, there is a possibility of mischaracterizations in the CWE hierarchy itself leading to incorrect mappings.
There is a metric bias. For example, the metrics indirectly prioritizes implementation flaws over design flaws because of the prevalence of the former. A second bias was described in a paper titled Measurements of the Most Significant Software Security Weaknesses. The authors wrote, “the published equation highly biases frequency and almost ignores exploitability and impact in generating top lists of varying sizes. This is due to the differences in the distributions of the component metric values.”
MITRE adds that it will investigate alternate metrics and may introduce a new metric for the 2022 List. The problem here is that changes to the way lists are compiled means that it is impossible to accurately determine genuine list movements from one year to the next.
It may be that the real value of the CWE Top 25 List is not so much the detailed order of the entries, but the accumulation of common weaknesses into a single source document, and the generalizations that can be deduced.
Tyler Shields, CMO at JupiterOne, does, however, pick out two specifics as having particular relevance. “The two biggest changes,” he told SecurityWeek, “were ‘Missing Authentication for Critical Function’ jumping up 13 places and ‘Incorrect Default Permissions’ jumping up a whopping 22 spots. These are the most common attacks that we are seeing in modern infrastructure and they are completely preventable.”
Software developers, whether in-house or third-party, should avoid building in these weaknesses, but they do not – and it would be unreasonable to expect them to suddenly start doing so. This puts the emphasis on the software using company to detect them. But the problem is that most security and IT teams have little visibility into their cyber assets, specifically those that are identity or cloud based.
“Cloud security posture management (CSPM) and Cyber Asset Management tools both help provide the governance and security you require to close these two attack classes,” adds Shields.
Kevin Dunne, president at Pathlock, agrees that the cloud plays a major part in current software weaknesses. “With the emphasis on cloud adoption during the pandemic, the need to remediate these software weaknesses is accelerating. For companies developing applications living in the cloud, that means increased investment in secure development training, code scanning tools, security research, and other areas,” he told SecurityWeek. “For commercially procured cloud applications (such as CRM, HRM, and others), there is less control over the pace at which these weaknesses can be corrected. Vendors are typically under pressure from their hundreds or thousands of customers to provide timely fixes, but there can always be delays in that process.”
An example of generalized conclusions from the list can be seen in the major contingent of identity-based weaknesses that should focus the minds of both developers and user companies.
“Nine of the top 25 current software security weaknesses,” Garret Grajek, CEO at YouAttest, told SecurityWeek, “involved identities in some form: authentication, credential stealing, impersonation and authorization. It is obvious that obtaining credentials into the enterprise, for initial and persistent access to the enterprise, is an objective of the hackers.” He describes stolen access as ‘the gift that keeps on giving’ allowing attackers to ‘land and expand’, and adds, “Keeping a tight rein on access permissions and identities is key to a secure enterprise.”
“In general,” concludes John Bambenek, threat intelligence advisor at Netenrich, “the high-level vulnerabilities stay the same. How they are reflected in vulnerabilities in software changes over time as we adopt new technologies, but the best practices remain fairly static: validate all inputs, protect sensitive functions and credentials, and ensure strong authentication and authorization for all applications.”
The message from the MITRE list is that software using companies need to accept responsibility themselves. Where they develop their own applications, the list demonstrates the areas that most need more design and development focus. Where they use third-party software, the list demonstrates those areas that are most likely to be vulnerable, and where additional resources need to be focused for improved security.
Related: MITRE Publishes New List of Most Dangerous Software Weaknesses
Related: CISA Issues MITRE ATT&CK Mapping Guide for Threat Intelligence Analysts
Related: MITRE Adds D3FEND Countermeasures to ATT&CK Framework