DEV Community

DaNeil C
DaNeil C

Posted on

CWEs vs OWASP top 10?

In security land there are weakness always being found. Nothing is ever 100% secure.
Because of this it can be difficult to be on the same page when discussing importance of issues to fix/how and there is a need for a common language to communicate and measure security tools for baseline weakness identification, mitigation, and prevention.

There are a few entities that appear when talking about top security issue lists on the web, but the most common are CWE (Common Weakness Enumeration) and OWASP (Open Web Application Security Project) where each company creates their own list of the top vulnerabilities each year-ish. (CWE says it's updates yearly but it's still only listing 2019)

What is a CWE?

The Common Weakness Enumeration (CWE™) is a list/dictionary composed of common software and hardware weaknesses that can be found in architecture, design, code, or implementation that can lead to exploitable security vulnerabilities. (1) It is made by a community of industry leaders who contribute to vulnerability disclosure and standards.

What is covered on the CWE top list?

The CWE list is interesting because it covers software and hardware issues. The list is constructed after determining the frequency and projected severity of each CWE and the list of the top 25 are published yearly.

CWE 2019 top 25 Most Dangerous Software Errors:

Rank ID Name Score
[1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 75.56
[2] CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 45.69
[3] CWE-20 Improper Input Validation 43.61
[4] CWE-200 Information Exposure 32.12
[5] CWE-125 Out-of-bounds Read 26.53
[6] CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 24.54
[7] CWE-416 Use After Free 17.94
[8] CWE-190 Integer Overflow or Wraparound 17.35
[9] CWE-352 Cross-Site Request Forgery (CSRF) 15.54
[10] CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14.10
[11] CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 11.47
[12] CWE-787 Out-of-bounds Write 11.08
[13] CWE-287 Improper Authentication 10.78
[14] CWE-476 NULL Pointer Dereference 9.74
[15] CWE-732 Incorrect Permission Assignment for Critical Resource 6.33
[16] CWE-434 Unrestricted Upload of File with Dangerous Type 5.50
[17] CWE-611 Improper Restriction of XML External Entity Reference 5.48
[18] CWE-94 Improper Control of Generation of Code ('Code Injection') 5.36
[19] CWE-798 Use of Hard-coded Credentials 5.12
[20] CWE-400 Uncontrolled Resource Consumption 5.04
[21] CWE-772 Missing Release of Resource after Effective Lifetime 5.04
[22] CWE-426 Untrusted Search Path 4.40
[23] CWE-502 Deserialization of Untrusted Data 4.30
[24] CWE-269 Improper Privilege Management 4.23
[25] CWE-295 Improper Certificate Validation 4.06

What is OWASP?

The OWASP® Foundation is a nonprofit foundation that works to improve the security of software, though its wide network of members on community-led open source software projects. (3)

What is covered on the OWASP top 10 list?

The OWASP Top 10 is a standard awareness document for developers and web application security and represents a broad consensus about the most critical security risks to web applications.

2020 OWASP TOP 10 Vulnerabilities:

ID Name
A1 Injection
A2 Broken Authentication
A3 Sensitive Data Exposure
A4 XML External Entities (XXE)
A5 Broken Access Control
A6 Security Misconfiguration
A7 Cross Site Scripting (XSS)
A8 Insecure Deserialization
A9 Using Components with Known Vulnerabilities
A10 Insufficient Logging & Monitoring

What is the difference?

The difference is in the details. OWASP top 10 is the main category and the CWE is a break down to each issue.
However, as you can see below, CWEs will have some issues that don't fall into any of the 10 categories of the OWASP top 10 because CWEs cover software issues and not just web application specific.

OWASP Top 10 CWE 25
A1: Injection CWE-78: Improper Neutralization of Special Elements Used in an OS Command (‘OS Command Injection’)
CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-94: Improper Control of Generation of Code ('Code Injection')
CWE-434: Unrestricted Upload of File with Dangerous Type
A2: Broken Authentication CWE-798: Use of Hard-coded Credentials
A3: Sensitive Data Exposure CWE-200: Information Exposure
A4: XML External Entities None
A5: Broken Access Control None
A6: Security Misconfiguration CWE-732: Incorrect Permission Assignment for Critical Resource
A7: Cross-Site Scripting (XSS) CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-Site Scripting')
A8: Insecure Deserialization None
A9: Using Components with Known Vulnerabilities CWE-190: Integer Overflow or Wraparound
A10: Insufficient Logging and Monitoring None
Other CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE-20: Improper Input Validation
CWE-125: Out-of-bounds Read
CWE-416: Use After Free
CWE-352: Cross-Site Request Forgery (CSRF)
CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CWE-787: Out-of-bounds Write
CWE-287: Improper Authentication
CWE-476: NULL Pointer Dereference
CWE-611: Improper Restriction of XML External Entity Reference
CWE-400: Uncontrolled Resource Consumption
CWE-772: Missing Release of Resource after Effective Lifetime
CWE-426: Untrusted Search Path
CWE-502: Deserialization of Untrusted Data
CWE-269: Improper Privilege Management
CWE-295: Improper Certificate Validation

Is one better than the other to use?

Nope. These lists were developed to help developers focus on the bigger issues that could cause more damage to the application they are working on.
If anything, using both lists together is a better idea because the OWASP is more board and the CVE can make an issue more focused within the broad topics of the OWASP top 10 for better mitigation.


References

  1. https://cwe.mitre.org/about/faq.html#what_is_cwe_weakness_meaning
  2. https://owasp.org/www-project-top-ten/
  3. https://owasp.org/
Please Note that I am still learning and if something that I have stated is incorrect please let me know. I would love to learn more about what I may not understand fully.

Oldest comments (0)