The Common Weakness Enumeration (CWE) recently published its list of the top 25 Most Dangerous Software Errors (CWE Top 25), which include the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. Even more ominous is the fact that these weaknesses are often easy to find and even easier to exploit – and can allow adversaries to completely take over execution of software, steal data or prevent the software from working.
CWE has provided this list as a community resource for use by software developers, software testers, software customers, software project managers, security researchers and educators to provide insight into some of the greatest security threats in the software industry.
This list was compiled with support from the Department of Homeland Security, which noted that it is vital for software designers, developers and cybersecurity experts to keep apprised of the potential weakness that software errors present. The Homeland Security Systems Engineering and Development Institute (HSSEDI), which is managed by DHS Science and Technology Directorate (S&T), and operated by MITRE, recently updated the 25 CWE list for the first time in eight years.
HSSEDI provided the specialized independent and objective expertise for addressing national homeland security needs in a number of vital areas, including those in information technology, communications and cybersecurity.
“This list is an important tool for improving cybersecurity resiliency,” said Scott Randels, Director of S&T’s Federally-Funded Research and Development Centers, which manages HSSEDI, via a statement.
“I’m excited about our ongoing collaboration with HSSEDI and the vast mitigation potential of this product,” added Randels.
More Than a Guidance Document
The 2019 CWE list is meant to serve as a guidance document, but also as an important proof-of-concept, as it was compiled via a data-driven approached based on real-world vulnerabilities reported by security researchers.
“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world,” said CWE project leader Chris Levendis via a release. “We will continue to mature the methodology as we move forward.”
Experts in the field have both praised the CWE list, but also highlighted the failure of the software community to address the vulnerabilities
“From a software perspective, this list looks right,” said Javvad Malik, security awareness advocate at KnowBe4, via an email. “However, much like other similar lists, such as the OWASP top 10, there is little change in the overall types of vulnerabilities which constantly make up the top issues.”
In other words, the industry needs to do more to help ensure that the software doesn’t put users in harm’s way.
“This highlights the unfortunate reality that despite many efforts, security is not being embedded effectively enough within the developer community, or in enterprise assurance frameworks,” added Malik. “It’s not that we are unaware of how to identify and remedy the issues or prevent them from occurring in the first place, there appears to be a culture where getting software shipped outweighs the security requirements.”
Top 2019 Threats
While many of the threats have been common – even all too common – for many years, the 2019 CWE list specifically identified a new top weakness: “Improper Restriction of Operations within Bounds of a Memory Buffer,” and this replaced the previous top weakness, “Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’),” which dropped down to the number six spot.
However, just as the CWE list calls out specific threats, all Americans should still be aware that software itself is just one part of the great issue of cybersecurity.
“Seventy to ninety percent of all malicious compromises are due to social engineering and exploiting unpatched software is involved in 20% to 40%,” explained Roger A. Grimes, data-driven defense evangelist at KnowBe4, via an email to ClearanceJobs.
“You would think that all software developers would be getting better at developing code with less exploitable security vulnerabilities,” added Grimes.
Some are, but most are not.
“This shouldn’t be surprising because most programmers are not taught about computer security and secure development lifecycle (SDL) programming techniques and processes in school,” Grimes explained.
“There are only a few colleges in the U.S. that devote an entire course on computer security and secure program to programmers,” Grimes noted. “Most cover it in a few hours as part of some other course, which of course means that it isn’t really covered.”
More worrisome is that bad actors also know that software weaknesses remain such a prevalent issue.
“News like this is encouraging to attackers as even lesser-skilled ones know that without advanced techniques or custom malware abilities, they can still take advantage of age-old flaws to breach many companies,” said Malik.
The answer is – or at least should be – a fairly straightforward one where understanding security is as important as coding.
“All programmers should strive to learn as much as they can about SDL techniques, tools, and processes as they can,” said Grimes. “It will make them better programmers and more valuable to their employers. Best yet, they’ll get paid more and make more secure software for the world. It’s win-win.”
Here’s the list of the top 25 software weaknesses, and the overall score of each:
| [1] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 75.56 |
| [2] | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 45.69 |
| [3] | CWE-20 | Improper Input Validation | 43.61 |
| [4] | CWE-200 | Information Exposure | 32.12 |
| [5] | CWE-125 | Out-of-bounds Read | 26.53 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 24.54 |
| [7] | CWE-416 | Use After Free | 17.94 |
| [8] | CWE-190 | Integer Overflow or Wraparound | 17.35 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 15.54 |
| [10] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.10 |
| [11] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 11.47 |
| [12] | CWE-787 | Out-of-bounds Write | 11.08 |
| [13] | CWE-287 | Improper Authentication | 10.78 |
| [14] | CWE-476 | NULL Pointer Dereference | 9.74 |
| [15] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6.33 |
| [16] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 5.50 |
| [17] | CWE-611 | Improper Restriction of XML External Entity Reference | 5.48 |
| [18] | CWE-94 | Improper Control of Generation of Code (‘Code Injection’) | 5.36 |
| [19] | CWE-798 | Use of Hard-coded Credentials | 5.12 |
| [20] | CWE-400 | Uncontrolled Resource Consumption | 5.04 |
| [21] | CWE-772 | Missing Release of Resource after Effective Lifetime | 5.04 |
| [22] | CWE-426 | Untrusted Search Path | 4.40 |
| [23] | CWE-502 | Deserialization of Untrusted Data | 4.30 |
| [24] | CWE-269 | Improper Privilege Management | 4.23 |
| [25] | CWE-295 | Improper Certificate Validation | 4.06 |
