In security land there are weakness always being found. Nothing is ever 100% secure.
Because of this it can be difficult to be on the same page when discussing importance of issues to fix/how and there is a need for a common language to communicate and measure security tools for baseline weakness identification, mitigation, and prevention.
There are a few entities that appear when talking about top security issue lists on the web, but the most common are CWE (Common Weakness Enumeration) and OWASP (Open Web Application Security Project) where each company creates their own list of the top vulnerabilities each year-ish. (CWE says it's updates yearly but it's still only listing 2019)
What is a CWE?
The Common Weakness Enumeration (CWE™) is a list/dictionary composed of common software and hardware weaknesses that can be found in architecture, design, code, or implementation that can lead to exploitable security vulnerabilities. (1) It is made by a community of industry leaders who contribute to vulnerability disclosure and standards.
What is covered on the CWE top list?
The CWE list is interesting because it covers software and hardware issues. The list is constructed after determining the frequency and projected severity of each CWE and the list of the top 25 are published yearly.
CWE 2019 top 25 Most Dangerous Software Errors:
| Rank | ID | Name | Score |
|---|---|---|---|
| [1] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 75.56 |
| [2] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 45.69 |
| [3] | CWE-20 | Improper Input Validation | 43.61 |
| [4] | CWE-200 | Information Exposure | 32.12 |
| [5] | CWE-125 | Out-of-bounds Read | 26.53 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 24.54 |
| [7] | CWE-416 | Use After Free | 17.94 |
| [8] | CWE-190 | Integer Overflow or Wraparound | 17.35 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 15.54 |
| [10] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 14.10 |
| [11] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 11.47 |
| [12] | CWE-787 | Out-of-bounds Write | 11.08 |
| [13] | CWE-287 | Improper Authentication | 10.78 |
| [14] | CWE-476 | NULL Pointer Dereference | 9.74 |
| [15] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6.33 |
| [16] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 5.50 |
| [17] | CWE-611 | Improper Restriction of XML External Entity Reference | 5.48 |
| [18] | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 5.36 |
| [19] | CWE-798 | Use of Hard-coded Credentials | 5.12 |
| [20] | CWE-400 | Uncontrolled Resource Consumption | 5.04 |
| [21] | CWE-772 | Missing Release of Resource after Effective Lifetime | 5.04 |
| [22] | CWE-426 | Untrusted Search Path | 4.40 |
| [23] | CWE-502 | Deserialization of Untrusted Data | 4.30 |
| [24] | CWE-269 | Improper Privilege Management | 4.23 |
| [25] | CWE-295 | Improper Certificate Validation | 4.06 |
What is OWASP?
The OWASP® Foundation is a nonprofit foundation that works to improve the security of software, though its wide network of members on community-led open source software projects. (3)
What is covered on the OWASP top 10 list?
The OWASP Top 10 is a standard awareness document for developers and web application security and represents a broad consensus about the most critical security risks to web applications.
2020 OWASP TOP 10 Vulnerabilities:
| ID | Name |
|---|---|
| A1 | Injection |
| A2 | Broken Authentication |
| A3 | Sensitive Data Exposure |
| A4 | XML External Entities (XXE) |
| A5 | Broken Access Control |
| A6 | Security Misconfiguration |
| A7 | Cross Site Scripting (XSS) |
| A8 | Insecure Deserialization |
| A9 | Using Components with Known Vulnerabilities |
| A10 | Insufficient Logging & Monitoring |
What is the difference?
The difference is in the details. OWASP top 10 is the main category and the CWE is a break down to each issue.
However, as you can see below, CWEs will have some issues that don't fall into any of the 10 categories of the OWASP top 10 because CWEs cover software issues and not just web application specific.
| OWASP Top 10 | CWE 25 |
|---|---|
| A1: Injection |
CWE-78: Improper Neutralization of Special Elements Used in an OS Command (‘OS Command Injection’) CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE-94: Improper Control of Generation of Code ('Code Injection') CWE-434: Unrestricted Upload of File with Dangerous Type |
| A2: Broken Authentication | CWE-798: Use of Hard-coded Credentials |
| A3: Sensitive Data Exposure | CWE-200: Information Exposure |
| A4: XML External Entities | None |
| A5: Broken Access Control | None |
| A6: Security Misconfiguration |
CWE-732: Incorrect Permission Assignment for Critical Resource |
| A7: Cross-Site Scripting (XSS) | CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-Site Scripting') |
| A8: Insecure Deserialization | None |
| A9: Using Components with Known Vulnerabilities | CWE-190: Integer Overflow or Wraparound |
| A10: Insufficient Logging and Monitoring | None |
| Other |
CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-20: Improper Input Validation CWE-125: Out-of-bounds Read CWE-416: Use After Free CWE-352: Cross-Site Request Forgery (CSRF) CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') CWE-787: Out-of-bounds Write CWE-287: Improper Authentication CWE-476: NULL Pointer Dereference CWE-611: Improper Restriction of XML External Entity Reference CWE-400: Uncontrolled Resource Consumption CWE-772: Missing Release of Resource after Effective Lifetime CWE-426: Untrusted Search Path CWE-502: Deserialization of Untrusted Data CWE-269: Improper Privilege Management CWE-295: Improper Certificate Validation |
Is one better than the other to use?
Nope. These lists were developed to help developers focus on the bigger issues that could cause more damage to the application they are working on.
If anything, using both lists together is a better idea because the OWASP is more board and the CVE can make an issue more focused within the broad topics of the OWASP top 10 for better mitigation.
References
- https://cwe.mitre.org/about/faq.html#what_is_cwe_weakness_meaning
- https://owasp.org/www-project-top-ten/
- https://owasp.org/
Latest comments (0)