CWE / SANS Top 25 Security Vulnerabilities
The 2021 Top CWE/SANS top 25 vulnerabilities was developed through surveys and individual interviews with developers, senior security analysts, researchers, and suppliers.
The CWE Team compiled the list using published Common Vulnerabilities and Exposures data, CWE mappings from the National Vulnerability Database (NVD), and CVSS scores for each CVE.
The severity of each flaw was then determined using a scoring algorithm. This data-driven approach can be used to automatically construct a CWE Top 25 list security vulnerabilities regularly.
What is a CWE vulnerability?
Software vulnerabilities and weaknesses are classified using the Common Weakness Enumeration (CWE), a categorization technique. An ongoing community project with the objectives of understanding software flaws and developing automated tools that can be used to discover, correct, and eliminate those problems is responsible for keeping it running.
The is a brief list of the CWE top software coding errors identified.
Top 25 security vulnerabilities
| Error | Tag | |
|---|---|---|
| 1 | CWE-79 | Improper neutralization of input during web page generation. |
| 2 | CWE-119 | Incorrect operation restriction within a memory buffer. |
| 3 | CWE-416 | Use After Free |
| 4 | CWE-200 | Information Exposure |
| 5 | CWE-125 | Out-of-bounds Read |
| 6 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command. |
| 7 | CWE-20 | Improper Input Validation |
| 8 | CWE-190 | Integer Overflow or Wraparound |
| 9 | CWE-352 | Cross-Site Request Forgery (CSRF) |
| 10 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| 11 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| 12 | CWE-787 | Out-of-bounds Write |
| 13 | CWE-287 | Improper Authentication |
| 14 | CWE-476 | NULL Pointer Dereference |
| 15 | CWE-732 | Incorrect Permission Assignment for Critical Resource |
| 16 | CWE-434 | Unrestricted Upload of File with Dangerous Type |
| 17 | CWE-611 | Improper Restriction of XML External Entity Reference |
| 18 | CWE-400 | Uncontrolled Resource Consumption |
| 19 | CWE-426 | Untrusted Search Path |
| 20 | CWE-94 | Improper Control of Generation of Code. |
| 21 | CWE-772 | Missing Release of Resource after Effective Lifetime |
| 22 | CWE-798 | Use of Hard-coded Credentials |
| 23 | CWE-502 | Deserialization of Untrusted Data |
| 24 | CWE-269 | Improper Privilege Management |
| 25 | CWE-295 | Improper Certificate Validation |
References & sources: https://www.sans.org/top25-software-errors/
Moreover, each inclusion in the top 25 security vulnerabilities website includes extremely detailed techniques to prevent and repair developers to decrease and eliminate their security risks
What are the top 25 programming errors being the most dangerous?
1. Invalid input validation:
This CWE-20 error highlights a program’s data flow issues. If an application doesn’t check the data, it may end up in unexpected places.
- This mistake affects programs that receive extrinsic data.
- Attackers can use this mistake to execute arbitrary code or change data flow. Attackers can even inject harmful code into existing data to target confidential data.
- A secure application will keep an organized message.
2. Out of boundaries:
The vulnerability value of CWE-125 is 26.53, which indicates its ubiquity in applications. This problem indicates that buffers of a system have no control over how much data a software consumes.
- The hackers can exploit memory locations, read virtual addresses and other sensitive material.
- If this error is identified, systems may crash.
- Attackers frequently use butter overflows and segmentation faults to exploit this flaw.
- Errors like these can occur in C and C++ code. To mitigate this risk, developers should employ input validation techniques.
3. Incorrect operation restriction within a memory buffer:
CWE-119 has the highest SANS top 25 scores of 75.56. In this error, the software can read over a buffer’s set boundary. An attacker can replace 64 memory bits, leading to malicious code.
- These attacks damage security-critical data and damage memory of an application.
- Vulnerabilities in this zone enable attackers to get sensitive data, modify control flows, crash devices, and execute arbitrary code.
- The computer language, chip architecture, and platform influence these results. Support for memory management helps to reduce this problem.
4. Unauthorized users can access data via CWE-200. Cryptography timing errors are a primary information vulnerability. Exposed scripts may reveal a complete program.
- Knowing the information exposed can anticipate the strength of these exposures.
- An attacker can access private communication, financial data, company secrets, network setup, etc.
- Designers and developers might construct ‘safe’ zones within their systems and restrict system privileges to mitigate this risk.
Read more about CWE/SANS and related topics:
- Common Weakness Enumeration – Wikipedia
- SANS Institute – Wikipedia
- OWASP Top 10 Vulnerabilities
- Common Vulnerabilities and Exposures Explained
- CWE/Sans top 25 security vulnerabilities
- What is mitre att&ck (Matrix and evaluation spreadsheet)
- What is National Vulnerability Database – NVD
- NIST – National Institute of Standards and Technology
- Log4j CVE Vulnerability Exploit Fix Explained
