On Tuesday, the Common Weakness Enumeration (CWE) team from MITRE, a non-profit focused on information security for government, industry and academia, published its list of the CWE Top 25 Most Dangerous Software Errors.
These CWEs represent the most common critical weaknesses in software. They're bugs, design flaws, or other errors in software implementation. They include things like buffer overflows, pathname traversal errors, undesired randomness or predictability, code evaluation and injection, lack of data verification and so on.
CWEs differ from CVEs in that they are precursors to vulnerabilities. "A weakness can become an exploitable vulnerability under the right operational conditions," explained Chris Levendis, a project manager at MITRE, in a phone interview with The Register.
Drew Buttner, who heads a software assurance group at MITRE focused on secure code review, said this is the first time the list has been updated since 2011.
Here are the top 10:
|||CWE-119||Improper Restriction of Operations within the Bounds of a Memory Buffer||75.56|
|||CWE-79||Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')||45.69|
|||CWE-20||Improper Input Validation||43.61|
|||CWE-89||Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')||24.54|
|||CWE-416||Use After Free||17.94|
|||CWE-190||Integer Overflow or Wraparound||17.35|
|||CWE-352||Cross-Site Request Forgery (CSRF)||15.54|
|||CWE-22||Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')||14.10|
The score represents an attempt to capture the frequency that a CWE represents the root cause of a vulnerability and the anticipated severity of exploitation.
About a third of the list is new, Buttner said, and the remaining two-thirds can be found on the 2011 list. Survivors from the past include Unrestricted Upload of File with Dangerous Type (CWE-434), SQL Injection (CWE-89), and OS Command Injection (CWE-78). "Those continue to be prevalent and dangerous weaknesses," he said.
SQL Injection, CWE-89, has become less prevalent, however, dropping from first place in 2011 to sixth place today. Likewise, another holdout, Use of Hard-coded Credentials, CWE-798, fell from rank 7 in 2011 to rank 19 today.
Buttner also noted that some old problems had disappeared as a result of developer diligence. CWE-134, Uncontrolled Format String, he said, appeared on the 2011 list but isn't on the current one.
Among current weaknesses, Improper Input Validation, CWE-20, ranked number three, didn't make the list in 2011. Neither did, Information Exposure, CWE-200, which presently ranks fourth.
But the 2011 list isn't really directly comparable to the 2019 list because the methodologies used to compile them have changed. Previous lists, said Buttner, were based on subjective discussions with industry experts that were used to compile lists of CWEs. Now, MITRE's CWE group relies on data queried from the National Vulnerability Database and Common Vulnerability Scoring System (CVSS) scores.
The current list has also been shaped by improvements in bug hunting tools. "Advances in static analysis have really helped developer teams identify and find these types of mistakes," said Buttner.
MITRE's newfound data-driven approach hasn't diminished the organization's interest in engagement with tech types.
"The more we can talk to the community, the more we can learn from each other and the more we can make the list more robust," said Buttner. ®