In security land there are weakness always being found. Nothing is ever 100% secure.
Because of this it can be difficult to be on the same page when discussing importance of issues to fix/how and there is a need for a common language to communicate and measure security tools for baseline weakness identification, mitigation, and prevention.
There are a few entities that appear when talking about top security issue lists on the web, but the most common are CWE (Common Weakness Enumeration) and OWASP (Open Web Application Security Project) where each company creates their own list of the top vulnerabilities each year-ish. (CWE says it's updates yearly but it's still only listing 2019)
The Common Weakness Enumeration (CWE™) is a list/dictionary composed of common software and hardware weaknesses that can be found in architecture, design, code, or implementation that can lead to exploitable security vulnerabilities. (1) It is made by a community of industry leaders who contribute to vulnerability disclosure and standards.
The CWE list is interesting because it covers software and hardware issues. The list is constructed after determining the frequency and projected severity of each CWE and the list of the top 25 are published yearly.
|||CWE-119||Improper Restriction of Operations within the Bounds of a Memory Buffer||75.56|
|||CWE-79||Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')||45.69|
|||CWE-20||Improper Input Validation||43.61|
|||CWE-89||Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')||24.54|
|||CWE-416||Use After Free||17.94|
|||CWE-190||Integer Overflow or Wraparound||17.35|
|||CWE-352||Cross-Site Request Forgery (CSRF)||15.54|
|||CWE-22||Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')||14.10|
|||CWE-78||Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')||11.47|
|||CWE-476||NULL Pointer Dereference||9.74|
|||CWE-732||Incorrect Permission Assignment for Critical Resource||6.33|
|||CWE-434||Unrestricted Upload of File with Dangerous Type||5.50|
|||CWE-611||Improper Restriction of XML External Entity Reference||5.48|
|||CWE-94||Improper Control of Generation of Code ('Code Injection')||5.36|
|||CWE-798||Use of Hard-coded Credentials||5.12|
|||CWE-400||Uncontrolled Resource Consumption||5.04|
|||CWE-772||Missing Release of Resource after Effective Lifetime||5.04|
|||CWE-426||Untrusted Search Path||4.40|
|||CWE-502||Deserialization of Untrusted Data||4.30|
|||CWE-269||Improper Privilege Management||4.23|
|||CWE-295||Improper Certificate Validation||4.06|
The OWASP® Foundation is a nonprofit foundation that works to improve the security of software, though its wide network of members on community-led open source software projects. (3)
The OWASP Top 10 is a standard awareness document for developers and web application security and represents a broad consensus about the most critical security risks to web applications.
|A3||Sensitive Data Exposure|
|A4||XML External Entities (XXE)|
|A5||Broken Access Control|
|A7||Cross Site Scripting (XSS)|
|A9||Using Components with Known Vulnerabilities|
|A10||Insufficient Logging & Monitoring|
The difference is in the details. OWASP top 10 is the main category and the CWE is a break down to each issue.
However, as you can see below, CWEs will have some issues that don't fall into any of the 10 categories of the OWASP top 10 because CWEs cover software issues and not just web application specific.
|OWASP Top 10||CWE 25|
CWE-78: Improper Neutralization of Special Elements Used in an OS Command (‘OS Command Injection’)
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-434: Unrestricted Upload of File with Dangerous Type
|A2: Broken Authentication||CWE-798: Use of Hard-coded Credentials|
|A3: Sensitive Data Exposure||CWE-200: Information Exposure|
|A4: XML External Entities||None|
|A5: Broken Access Control||None
|A6: Security Misconfiguration||
CWE-732: Incorrect Permission Assignment for Critical Resource
|A7: Cross-Site Scripting (XSS)||CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-Site Scripting')|
|A8: Insecure Deserialization||None|
|A9: Using Components with Known Vulnerabilities||CWE-190: Integer Overflow or Wraparound|
|A10: Insufficient Logging and Monitoring||None|
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-20: Improper Input Validation
CWE-125: Out-of-bounds Read
CWE-416: Use After Free
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-787: Out-of-bounds Write
CWE-287: Improper Authentication
CWE-476: NULL Pointer Dereference
CWE-611: Improper Restriction of XML External Entity Reference
CWE-400: Uncontrolled Resource Consumption
CWE-772: Missing Release of Resource after Effective Lifetime
CWE-426: Untrusted Search Path
CWE-502: Deserialization of Untrusted Data
CWE-269: Improper Privilege Management
CWE-295: Improper Certificate Validation
Nope. These lists were developed to help developers focus on the bigger issues that could cause more damage to the application they are working on.
If anything, using both lists together is a better idea because the OWASP is more board and the CVE can make an issue more focused within the broad topics of the OWASP top 10 for better mitigation.