The CWE Top 25 list reflects the most serious software security weaknesses. I invite you to read the updated top list to become aware of the changes happened over the past year.
We position the PVS-Studio analyzer not only as a tool for searching bugs in code but also as a tool for static application security testing (SAST) tool. For a better understanding of trends and planning of diagnostic rules, there is nothing better than to look at the latest list of the most relevant security issues. There are several such lists, for example, OWASP Top 10, SANS Top 25, and the above-mentioned CWE Top 25.
By the way, last year we already wrote about changes in the CWE Top 25 2021 — you can find the article here.
A bit of theory
To better understand the context, let's brush up on some topics. To do this, let's skim through the following points:
- how does CVE differ from CWE;
- why do we need CVSS;
- what are NVD and KEV;
- how the CWE Top 25 2022 is ranked.
If you feel CWE savvy, you can safely skip this section. Otherwise, I strongly recommend that you refresh those points before you read the article. Below is a rather free interpretation of some questions from CWE FAQ and CVE FAQ:
How does a software weakness differ from a software vulnerability?
Weaknesses are defects, failures and other issues of implementation, design or architecture of the software that may lead to vulnerabilities.
Vulnerabilities are errors that have already been found by someone. Attackers may exploit these vulnerabilities to get access to a system or a network, to disrupt services, etc.
What is CWE and how is it different from CVE? How does CVSS figure here and where did KEV come from?
- CWE (Common Weakness Enumeration) is a general list of security defects.
- CVE (Common Vulnerabilities and Exposures) is a list of vulnerabilities found in various software.
- CVSS (Common Vulnerability Scoring System) is a numerical score that indicates the potential severity of a vulnerability (CVE). It is based on a standardized set of characteristics.
- KEV (Known Exploited Vulnerabilities) is a catalog of known exploited vulnerabilities.
Why do I need to know about CWE?
Today, developers use CWE as the main tool when discussing the elimination and/or minimizing security defects in the architecture, design, code, and software implementation. Organizations use CWE as a standard measure for evaluating software security verification tools and as a common baseline standard for identifying, preventing, and minimizing negative consequences.
What is CWE Top 25?
CWE Top 25 is a list of the most dangerous and common defects. These defects are dangerous because someone can easily find and exploit them. Attackers can use them to disrupt the application's operation, steal data or even completely take over a system. CWE Top 25 is a significant community resource that can help you get an idea of the currently most common and dangerous security defects.
What is an algorithm to compile and rank the CWE Top 25 list?
The main sources for this year's list were:
- data from U.D National Vulnerability Database (NVD) for 2020–2021;
- the Known Exploited Vulnerabilities (KEV) catalog that was compiled in November 2021 by Cybersecurity and Infrastructure Security Agency (CISA).
The CWE team researches handled the obtained data according to the View-1003 method to reduce the specificity of records. For example, CWE-122 (Heap-Based Buffer Overflow) is converted to basic CWE-787 (Out-of-Bounds Write). The CWE team also filtered the data and removed from the Top 25 list the following items:
- CVEs if they do not have a CVSS score;
- CVEs whose description is labeled "REJECT";
- CVEs without a mapping to any CWE;
- CVEs that are labeled with "CWE-Other" or "NVD-CWE-noinfo".
Next, the team of researchers used their own formula to calculate the ranking order. This formula takes into account the potential danger of exploit and the frequency, with which a defect (CWE) is the main cause of a vulnerability. The team made the formula that way, so it normalizes the frequency and predicted severity relative to their minimum and maximum values. To obtain the frequency of mentions, the formula calculates how many times CVE referred to CWE within the NVD.
Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD}
Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq))
Another important component of the scoring formula is a defect's severity. The following formula calculates it:
Sv(CWE_X) = (average_CVSS_for_CWE_X - min(CVSS)) / (max(CVSS) - min(CVSS))
At the end, the final score is calculated by multiplying the frequency of mention by the severity score.
Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100
In general, the methodology of data analysis has not changed much this year. But next year, the CWE team is planning more significant changes. Here are some of them:
- support generation of more specialized lists, such as Top 25 for mobile applications, etc.;
- consider changing the metrics used to generate the list to minimize some of the bias (here are more details);
- enhance the View-1003 methodology;
- perform normalization using different views besides View-1003.
- if possible, perform more CVE -> CWE mappings to reduce the number of one-off edits to the mapping data.
You can find more information about the methodology of data preparation and analysis in the supplemental details pertaining to the CWE Top 25 list.
How big is the sampling this year?
The dataset contained a total of 37,899 CVEs from the previous two calendar years.
Is the Top 25 updated every year?
Yes, it is updated annually. For information about previous versions, visit CWE Top 25 archive.
Who participates in the development of CWE Top 25?
The CWE community includes individual researchers and representatives of numerous organizations, the scientific community, and government agencies. They are all interested in elimination of software defects. You can get a list of CWE Team members on the "CWE Community Members" page.
Read more about classification on the cwe.mitre.org website.
The situation today
Below is a table of correspondence between the CWE Top 25 2022 list and the PVS-Studio diagnostic rules, divided by programming languages. You can always check the most up-to-date table with CWE Top 25 coverage on our website.
| # | CWE ID | Name | Score | KEV | PVS-Studio diagnostics |
|---|---|---|---|---|---|
| 1 | CWE-787 | Out-of-bounds Write | 64.20 | 62 | C++: V512, V557, V582, V645 C#: V3106 Java: V6025 |
| 2 | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 45.97 | 2 | C#: V5610 |
| 3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 22,11 | 7 | C#: V5608 |
| 4 | CWE-20 | Improper Input Validation | 20,63 | 20 | C++: V739, V781, V1010, V1024, V5009 |
| 5 | CWE-125 | Out-of-bounds Read | 17,67 | 1 | C++: V512, V557, V582 C#: V3106 Java: V6025 |
| 6 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 17.53 | 32 | C++: V1010, V5009 C#: V5616 |
| 7 | CWE-416 | Use After Free | 15.50 | 28 | C++: V623, V723, V758, V774, V1017 |
| 8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 14.08 | 19 | C#: V5609 |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.53 | 1 | Coming in the future |
| 10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 9,56 | 6 | Coming in the future |
| 11 | CWE-476 | NULL Pointer Dereference | 7,15 | 0 | C++: V522, V595, V664, V713, V1004 C#: V3027, V3042, V3080, V3095, V3100, V3125, V3145, V3146, V3148, V3149, V3152, V3153, V3168 Java: V6008, V6060, V6093 |
| 12 | CWE-502 | Deserialization of Untrusted Data | 6.68 | 7 | C#: V5611 |
| 13 | CWE-190 | Integer Overflow or Wraparound | 6,53 | 2 | C++: V629, V658, V673, V683, V1026, V1028, V1083, V1085, V5004, V5005, V5006, V5007, V5010, V5011 C#: V3113 Java: V6105 |
| 14 | CWE-287 | Improper Authentication | 6.35 | 4 | Coming in the future |
| 15 | CWE-798 | Use of Hard-coded Credentials | 5.66 | 0 | C++: V5013 C#: V5601 Java: V5305 |
| 16 | CWE-862 | Missing Authorization | 5,53 | 1 | Coming in the future |
| 17 | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 5.42 | 5 | C#: V5616 |
| 18 | CWE-306 | Missing Authentication for Critical Function | 5.15 | 6 | Coming in the future |
| 19 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 8.85 | 6 | C++: V512, V557, V582, V769, V783, V1004 |
| 20 | CWE-276 | Incorrect Default Permissions | 4.84 | 0 | Coming in the future |
| 21 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.27 | 8 | C#: V5618 |
| 22 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 3.57 | 6 | Coming in the future |
| 23 | CWE-400 | Uncontrolled Resource Consumption | 3.56 | 2 | Coming in the future |
| 24 | CWE-611 | Improper Restriction of XML External Entity Reference | 3.38 | 0 | C#: V5614 |
| 25 | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 3.32 | 4 | C++: V1076 |
The table shows that the PVS-Studio static analyzer now covers 68% (17 out of 25) the CWE Top 25 2022 list. Last year, the coverage was 52%. Significant improvement in coverage over the year is a credit to the large number of SAST-oriented diagnostic rules that were released by PVS-Studio over the past year.
Changes in the CWE Top 25 over the past year
The biggest upshifts:
| # | CWE ID | Name | Position in 2021 | Position in 2022 | Annual change |
|---|---|---|---|---|---|
| 1 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 33 | 22 | 11▲ |
| 2 | CWE-77 | Improper Neutralization of Special Elements used in a Command ('Command Injection') | 25 | 17 | 8▲ |
| 3 | CWE-400 | Uncontrolled Resource Consumption | 27 | 23 | 4▲ |
| 4 | CWE-476 | NULL Pointer Dereference | 15 | 11 | 4▲ |
| 5 | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 28 | 25 | 3▲ |
The biggest downshifts:
| # | CWE ID | Name | Position in 2021 | Position in 2022 | Annual change |
|---|---|---|---|---|---|
| 1 | CWE-522 | Insufficiently Protected Credentials | 21 | 38 | 17▼ |
| 2 | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 20 | 33 | 13▼ |
| 3 | CWE-732 | Incorrect Permission Assignment for Critical Resource | 22 | 30 | 8▼ |
| 4 | CWE-306 | Missing Authentication for Critical Function | 11 | 18 | 7▼ |
"Newbies" in the Top 25:
| # | CWE ID | Name | Position in 2021 | Position in 2022 | Annual change |
|---|---|---|---|---|---|
| 1 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 33 | 22 | 11▲ |
| 2 | CWE-400 | Uncontrolled Resource Consumption | 27 | 23 | 4▲ |
| 3 | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 28 | 25 | 3▲ |
And in the end — the defects that were dropped out of the CWE Top 25 in 2022:
| # | CWE ID | Name | Position in 2021 | Position in 2022 | Annual change |
|---|---|---|---|---|---|
| 1 | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 20 | 33 | 13▼ |
| 2 | CWE-522 | Insufficiently Protected Credentials | 21 | 23 | 2▼ |
| 3 | CWE-732 | Incorrect Permission Assignment for Critical Resource | 22 | 30 | 8▼ |
Key points:
- the top ten places remain fairly stable;
- CWE-787 (Out-of-bounds Write) still holds the lead;
- CWE-502 (Deserialization of Untrusted Data) and CWE-862 (Missing Authorization) are steadily rising to the top year by year;
- this year, CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) broke into the top, immediately rising by 11 places compared to last year;
- CWE-306 (Missing Authentication for Critical Function) that appeared in 2020 and skyrocketed last year, dropped this year;
- the largest downward movement was marked by CWE-522 (Insufficiently Protected Credentials), which fell down by 17 points at once.
Below the top
As a bonus, let's see what defects did not make it into the 2022 CWE Top 25 and may well enter the top next year:
| # | CWE ID | Name | Score | KEV | Annual change |
|---|---|---|---|---|---|
| 26 | CWE-295 | Improper Certificate Validation | 3.12 | 2 | - |
| 27 | CWE-427 | Uncontrolled Search Path Element | 3.12 | 0 | 7▲ |
| 28 | CWE-863 | Incorrect Authorization | 3.10 | 0 | 10▲ |
| 29 | CWE-269 | Improper Privilege Management | 3.06 | 3 | - |
| 30 | CWE-732 | Incorrect Permission Assignment for Critical Resource | 2.93 | 1 | 8▼ |
| 31 | CWE-843 | Access of Resource Using Incompatible Type ('Type Confusion') | 2.87 | 10 | 5▲ |
| 32 | CWE-668 | Exposure of Resource to Wrong Sphere | 2.68 | 0 | 21▲ |
| 33 | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 2.49 | 2 | 13▼ |
| 34 | CWE-1321 | Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') | 2.48 | 0 | new |
| 35 | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | 2.41 | 0 | 2▲ |
| 36 | CWE-401 | Missing Release of Memory after Effective Lifetime | 2.39 | 0 | 4▼ |
| 37 | CWE-59 | Improper Link Resolution Before File Access ('Link Following') | 2.38 | 4 | 6▼ |
| 38 | CWE-522 | Insufficiently Protected Credentials | 2.25 | 0 | 17▼ |
| 39 | CWE-319 | Cleartext Transmission of Sensitive Information | 2.15 | 0 | 4▼ |
| 40 | CWE-312 | Cleartext Storage of Sensitive Information | 2.01 | 0 | 1▲ |
Although these defects did not make it to the top, they are still important because under favorable circumstances they may turn into vulnerabilities.
Conclusion
I hope you enjoyed this article and understood the current terminology.
Fortunately, static analyzers help us fight potential vulnerabilities. Therefore, I invite you to download and test the PVS-Studio static analyzer on your project. Maybe a couple of CWEs crept into your code and are about to become CVE :)
Additional links
- PVS-Studio: static code analysis technology.
- Technologies used in the PVS-Studio code analyzer for finding bugs and potential vulnerabilities.
- Potential vulnerability.
- Zero-day vulnerability.
- OWASP, vulnerabilities, and taint analysis in PVS-Studio for C#. Stir, but don't shake.
- What is the difference between DevOps and DevSecOps?
Latest comments (0)