DEV Community

Unicorn Developer
Unicorn Developer

Posted on • Originally published at pvs-studio.com

CWE Top 25 2022. Review of changes

The CWE Top 25 list reflects the most serious software security weaknesses. I invite you to read the updated top list to become aware of the changes happened over the past year.

Image description

We position the PVS-Studio analyzer not only as a tool for searching bugs in code but also as a tool for static application security testing (SAST) tool. For a better understanding of trends and planning of diagnostic rules, there is nothing better than to look at the latest list of the most relevant security issues. There are several such lists, for example, OWASP Top 10, SANS Top 25, and the above-mentioned CWE Top 25.

By the way, last year we already wrote about changes in the CWE Top 25 2021 — you can find the article here.

A bit of theory

To better understand the context, let's brush up on some topics. To do this, let's skim through the following points:

  • how does CVE differ from CWE;
  • why do we need CVSS;
  • what are NVD and KEV;
  • how the CWE Top 25 2022 is ranked.

If you feel CWE savvy, you can safely skip this section. Otherwise, I strongly recommend that you refresh those points before you read the article. Below is a rather free interpretation of some questions from CWE FAQ and CVE FAQ:

How does a software weakness differ from a software vulnerability?

Weaknesses are defects, failures and other issues of implementation, design or architecture of the software that may lead to vulnerabilities.

Vulnerabilities are errors that have already been found by someone. Attackers may exploit these vulnerabilities to get access to a system or a network, to disrupt services, etc.

What is CWE and how is it different from CVE? How does CVSS figure here and where did KEV come from?

  • CWE (Common Weakness Enumeration) is a general list of security defects.
  • CVE (Common Vulnerabilities and Exposures) is a list of vulnerabilities found in various software.
  • CVSS (Common Vulnerability Scoring System) is a numerical score that indicates the potential severity of a vulnerability (CVE). It is based on a standardized set of characteristics.
  • KEV (Known Exploited Vulnerabilities) is a catalog of known exploited vulnerabilities.

Why do I need to know about CWE?

Today, developers use CWE as the main tool when discussing the elimination and/or minimizing security defects in the architecture, design, code, and software implementation. Organizations use CWE as a standard measure for evaluating software security verification tools and as a common baseline standard for identifying, preventing, and minimizing negative consequences.

Image description

What is CWE Top 25?

CWE Top 25 is a list of the most dangerous and common defects. These defects are dangerous because someone can easily find and exploit them. Attackers can use them to disrupt the application's operation, steal data or even completely take over a system. CWE Top 25 is a significant community resource that can help you get an idea of the currently most common and dangerous security defects.

What is an algorithm to compile and rank the CWE Top 25 list?

The main sources for this year's list were:

  • data from U.D National Vulnerability Database (NVD) for 2020–2021;
  • the Known Exploited Vulnerabilities (KEV) catalog that was compiled in November 2021 by Cybersecurity and Infrastructure Security Agency (CISA).

The CWE team researches handled the obtained data according to the View-1003 method to reduce the specificity of records. For example, CWE-122 (Heap-Based Buffer Overflow) is converted to basic CWE-787 (Out-of-Bounds Write). The CWE team also filtered the data and removed from the Top 25 list the following items:

  • CVEs if they do not have a CVSS score;
  • CVEs whose description is labeled "REJECT";
  • CVEs without a mapping to any CWE;
  • CVEs that are labeled with "CWE-Other" or "NVD-CWE-noinfo".

Next, the team of researchers used their own formula to calculate the ranking order. This formula takes into account the potential danger of exploit and the frequency, with which a defect (CWE) is the main cause of a vulnerability. The team made the formula that way, so it normalizes the frequency and predicted severity relative to their minimum and maximum values. To obtain the frequency of mentions, the formula calculates how many times CVE referred to CWE within the NVD.

Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD}

Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq))

Another important component of the scoring formula is a defect's severity. The following formula calculates it:

Sv(CWE_X) = (average_CVSS_for_CWE_X - min(CVSS)) / (max(CVSS) - min(CVSS))

At the end, the final score is calculated by multiplying the frequency of mention by the severity score.

Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100

In general, the methodology of data analysis has not changed much this year. But next year, the CWE team is planning more significant changes. Here are some of them:

  • support generation of more specialized lists, such as Top 25 for mobile applications, etc.;
  • consider changing the metrics used to generate the list to minimize some of the bias (here are more details);
  • enhance the View-1003 methodology;
  • perform normalization using different views besides View-1003.
  • if possible, perform more CVE -> CWE mappings to reduce the number of one-off edits to the mapping data.

You can find more information about the methodology of data preparation and analysis in the supplemental details pertaining to the CWE Top 25 list.

How big is the sampling this year?

The dataset contained a total of 37,899 CVEs from the previous two calendar years.

Is the Top 25 updated every year?

Yes, it is updated annually. For information about previous versions, visit CWE Top 25 archive.

Who participates in the development of CWE Top 25?

The CWE community includes individual researchers and representatives of numerous organizations, the scientific community, and government agencies. They are all interested in elimination of software defects. You can get a list of CWE Team members on the "CWE Community Members" page.

Read more about classification on the cwe.mitre.org website.

The situation today

Below is a table of correspondence between the CWE Top 25 2022 list and the PVS-Studio diagnostic rules, divided by programming languages. You can always check the most up-to-date table with CWE Top 25 coverage on our website.

# CWE ID Name Score KEV PVS-Studio diagnostics
1 CWE-787 Out-of-bounds Write 64.20 62 C++: V512, V557, V582, V645
C#: V3106
Java: V6025
2 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 45.97 2 C#: V5610
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 22,11 7 C#: V5608
4 CWE-20 Improper Input Validation 20,63 20 C++: V739, V781, V1010, V1024, V5009
5 CWE-125 Out-of-bounds Read 17,67 1 C++: V512, V557, V582
C#: V3106
Java: V6025
6 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 17.53 32 C++: V1010, V5009
C#: V5616
7 CWE-416 Use After Free 15.50 28 C++: V623, V723, V758, V774, V1017
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 14.08 19 C#: V5609
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.53 1 Coming in the future
10 CWE-434 Unrestricted Upload of File with Dangerous Type 9,56 6 Coming in the future
11 CWE-476 NULL Pointer Dereference 7,15 0 C++: V522, V595, V664, V713, V1004
C#: V3027, V3042, V3080, V3095, V3100, V3125, V3145, V3146, V3148, V3149, V3152, V3153, V3168
Java: V6008, V6060, V6093
12 CWE-502 Deserialization of Untrusted Data 6.68 7 C#: V5611
13 CWE-190 Integer Overflow or Wraparound 6,53 2 C++: V629, V658, V673, V683, V1026, V1028, V1083, V1085, V5004, V5005, V5006, V5007, V5010, V5011
C#: V3113
Java: V6105
14 CWE-287 Improper Authentication 6.35 4 Coming in the future
15 CWE-798 Use of Hard-coded Credentials 5.66 0 C++: V5013
C#: V5601
Java: V5305
16 CWE-862 Missing Authorization 5,53 1 Coming in the future
17 CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 5.42 5 C#: V5616
18 CWE-306 Missing Authentication for Critical Function 5.15 6 Coming in the future
19 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 8.85 6 C++: V512, V557, V582, V769, V783, V1004
20 CWE-276 Incorrect Default Permissions 4.84 0 Coming in the future
21 CWE-918 Server-Side Request Forgery (SSRF) 4.27 8 C#: V5618
22 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 3.57 6 Coming in the future
23 CWE-400 Uncontrolled Resource Consumption 3.56 2 Coming in the future
24 CWE-611 Improper Restriction of XML External Entity Reference 3.38 0 C#: V5614
25 CWE-94 Improper Control of Generation of Code ('Code Injection') 3.32 4 C++: V1076

The table shows that the PVS-Studio static analyzer now covers 68% (17 out of 25) the CWE Top 25 2022 list. Last year, the coverage was 52%. Significant improvement in coverage over the year is a credit to the large number of SAST-oriented diagnostic rules that were released by PVS-Studio over the past year.

Changes in the CWE Top 25 over the past year

The biggest upshifts:

# CWE ID Name Position in 2021 Position in 2022 Annual change
1 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 33 22 11▲
2 CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection') 25 17 8▲
3 CWE-400 Uncontrolled Resource Consumption 27 23 4▲
4 CWE-476 NULL Pointer Dereference 15 11 4▲
5 CWE-94 Improper Control of Generation of Code ('Code Injection') 28 25 3▲

The biggest downshifts:

# CWE ID Name Position in 2021 Position in 2022 Annual change
1 CWE-522 Insufficiently Protected Credentials 21 38 17▼
2 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 20 33 13▼
3 CWE-732 Incorrect Permission Assignment for Critical Resource 22 30 8▼
4 CWE-306 Missing Authentication for Critical Function 11 18 7▼

"Newbies" in the Top 25:

# CWE ID Name Position in 2021 Position in 2022 Annual change
1 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') 33 22 11▲
2 CWE-400 Uncontrolled Resource Consumption 27 23 4▲
3 CWE-94 Improper Control of Generation of Code ('Code Injection') 28 25 3▲

And in the end — the defects that were dropped out of the CWE Top 25 in 2022:

# CWE ID Name Position in 2021 Position in 2022 Annual change
1 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 20 33 13▼
2 CWE-522 Insufficiently Protected Credentials 21 23 2▼
3 CWE-732 Incorrect Permission Assignment for Critical Resource 22 30 8▼

Key points:

  • the top ten places remain fairly stable;
  • CWE-787 (Out-of-bounds Write) still holds the lead;
  • CWE-502 (Deserialization of Untrusted Data) and CWE-862 (Missing Authorization) are steadily rising to the top year by year;
  • this year, CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) broke into the top, immediately rising by 11 places compared to last year;
  • CWE-306 (Missing Authentication for Critical Function) that appeared in 2020 and skyrocketed last year, dropped this year;
  • the largest downward movement was marked by CWE-522 (Insufficiently Protected Credentials), which fell down by 17 points at once.

Below the top

As a bonus, let's see what defects did not make it into the 2022 CWE Top 25 and may well enter the top next year:

# CWE ID Name Score KEV Annual change
26 CWE-295 Improper Certificate Validation 3.12 2 -
27 CWE-427 Uncontrolled Search Path Element 3.12 0 7▲
28 CWE-863 Incorrect Authorization 3.10 0 10▲
29 CWE-269 Improper Privilege Management 3.06 3 -
30 CWE-732 Incorrect Permission Assignment for Critical Resource 2.93 1 8▼
31 CWE-843 Access of Resource Using Incompatible Type ('Type Confusion') 2.87 10 5▲
32 CWE-668 Exposure of Resource to Wrong Sphere 2.68 0 21▲
33 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 2.49 2 13▼
34 CWE-1321 Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') 2.48 0 new
35 CWE-601 URL Redirection to Untrusted Site ('Open Redirect') 2.41 0 2▲
36 CWE-401 Missing Release of Memory after Effective Lifetime 2.39 0 4▼
37 CWE-59 Improper Link Resolution Before File Access ('Link Following') 2.38 4 6▼
38 CWE-522 Insufficiently Protected Credentials 2.25 0 17▼
39 CWE-319 Cleartext Transmission of Sensitive Information 2.15 0 4▼
40 CWE-312 Cleartext Storage of Sensitive Information 2.01 0 1▲

Although these defects did not make it to the top, they are still important because under favorable circumstances they may turn into vulnerabilities.

Conclusion

I hope you enjoyed this article and understood the current terminology.

Fortunately, static analyzers help us fight potential vulnerabilities. Therefore, I invite you to download and test the PVS-Studio static analyzer on your project. Maybe a couple of CWEs crept into your code and are about to become CVE :)

Additional links

  1. PVS-Studio: static code analysis technology.
  2. Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities.
  3. Potential vulnerability.
  4. Zero-day vulnerability.
  5. OWASP, vulnerabilities, and taint analysis in PVS-Studio for C#. Stir, but don't shake.
  6. What is the difference between DevOps and DevSecOps?

Top comments (0)