There are always security weaknesses in software, no matter how sound the software may appear to be.
You can fix one weakness, and suddenly you realize there are five more.
To make these weaknesses easier for security professionals to identify, the Cybersecurity and Infrastructure Security Agency (CISA) has released the Common Weakness Enumeration (CWE) top 25 most dangerous software weaknesses list.
Top 25 software weaknesses
The data used to compile the list of the most dangerous software weaknesses comes from NIST's National Vulnerability Database (NVD), which tracks reported security vulnerabilities, weaknesses, and risks.
Here is how the list is described and why it can be of use:
"The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.
The CWE Top 25 is a valuable community resource that can help developers, testers, and users—as well as project managers, security researchers, and educators—provide insight into the most severe and current security weaknesses."
And here is the list:
- Out-of-bounds Write
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
- Out-of-bounds Read
- Improper Input Validation
- Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- Use After Free
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Cross-Site Request Forgery (CSRF)
- Unrestricted Upload of File with Dangerous Type
- Missing Authentication for Critical Function
- Integer Overflow or Wraparound
- Deserialization of Untrusted Data
- Improper Authentication
- NULL Pointer Dereference
- Use of Hard-coded Credentials
- Improper Restriction of Operations within the Bounds of a Memory Buffer
- Missing Authorization
- Incorrect Default Permissions
- Exposure of Sensitive Information to an Unauthorized Actor
- Insufficiently Protected Credentials
- Incorrect Permission Assignment for Critical Resource
- Improper Restriction of XML External Entity Reference
- Server-Side Request Forgery (SSRF)
- Improper Neutralization of Special Elements used in a Command ('Command Injection')
CISA also offers an interesting analysis of the change from last year's list to this year's:
"The major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses. A preliminary estimate suggests that the percentage of Base-level CWEs has increased from ~60% to ~71% of all Top 25 entries, and the percentage of Class-level CWEs has decreased from ~30% to ~20% of entries. Other weakness levels (e.g., category, compound, and variant) remain relatively unchanged.
While a few class-level weaknesses still exist in the list, they have declined noticeably in the ranking, as influenced by prioritization in the remapping task. This movement is expected to continue in future years as the community improves its mappings to more precise weaknesses."
It also adds the weaknesses with the biggest movement up the list:
- CWE-276 (Incorrect Default Permissions): from #41 to #19
- CWE-306 (Missing Authentication for Critical Function): from #24 to #11
- CWE-502 (Deserialization of Untrusted Data): from #21 to #13
- CWE-862 (Missing Authorization): from #25 to #18
- CWE-77 (Improper Neutralization of Special Elements used in a Command ('Command Injection')): from #31 to #25
Follow this link for more information on the 2021 CWE Top 25 Most Dangerous Software Weaknesses.