In our previous post, we have mentioned that the Common Weakness Enumeration (CWE) list can be long and daunting to look at when you’re first getting started. As such, one of our recommendations is to focus on items that make up the CWE Top 25 Most Dangerous Software Weaknesses.
What is the CWE Top 25 Most Dangerous Software Weaknesses List?
The CWE Top 25 Most Dangerous Software Weaknesses lists issues that are especially dangerous. Per the CWE team
[T]hey are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.
To determine whether a vulnerability type should be included or not, the CWE team looked at:
- Common Vulnerabilities and Exposures (CVE) data captured in the National Vulnerability Database, which offers insight into how a specific vulnerability type occurred and can be used to determine the frequency with which a vulnerability occurred
- The Common Vulnerability Scoring System (CVSS) scores assigned to individual CVEs, indicating how problematic the CVE was
These prevalence and severity data points were then used in a formula to create an overall score that aims to capture how dangerous each weakness was. Weaknesses are then ranked based on this overall score.
Changes in the Top 25 Between 2020 and 2021
As you might expect, the Top 25 list is a living document that changes over time. Just as the software industry involves, the threats facing software evolve as well.
There are three vulnerabilities that show up on the 2021 list but weren’t included on the 2020 list:
- CWE-276 (Incorrect Default Permissions) has moved from #41 to #19
- CWE-918 (Server-Side Request Forgery (SSRF)) has moved from #27 to #24
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)) has moved from #31 to #25
Other major movements upward on this list (indicative of increased threat) include:
- CWE-306 (Missing Authentication for Critical Function), which moved from #24 to #11
- CWE-502 (Deserialization of Untrusted Data), which moved from #21 to #13
- CWE-862 (Missing Authorization), which moved from #25 to #18
Not all of the news is bad news, however. In some cases, there was significant movement downwards, and the following entries dropped out of the Top 25:
- CWE-400 (Uncontrolled Resource Consumption) dropped from #23 to #27
- CWE-94 (Improper Control of Generation of Code (‘Code Injection’)) dropped from #17 to #28
- CWE-269 (Improper Privilege Management) dropped from #22 to #29
Considerations to Keep in Mind
The CWE Top 25 is helpful in that it captures weaknesses that are common and impactful. However, there are biases inherent in the list.
For example, the CWE team has modified its mapping practices over the past year with the hopes of making the vulnerability entries better reflect the CWE ID to which they belong. In a few years, the impact this change will have on list movement will peter out; in the meantime, it is a significant contributing factor.
Furthermore, the CWE team relies on reported information. Companies that report frequently could skew the data, while those who never report the data are also impactful. There may also be weaknesses that exist and aren’t discovered — these issues may be hazardous, but they’re not reflected on the Top 25 list without any reported data.
Nevertheless, the CWE Top 25 is a helpful resource for those looking to tackle some commonly occurring vulnerabilities.
Top comments (0)