The 2023 version of the CWE High 25 Most Harmful Software program Weaknesses classification sees the identical prime 3 weaknesses as final 12 months – all veterans of the record since its inception in 2009. The record is ranked in accordance with the affect and frequency of the ensuing vulnerabilities in 2021 and 2022, giving a fairly good concept of the place the largest risks lie. We haven’t regarded on the SANS/CWE High 25 since 2021, so let’s undergo the methodology, the largest movers (spoiler: consists of SQL injection), and methods to make use of the record in apply, particularly in internet safety.
The total CWE database is compiled and maintained by the MITRE Company. The highest 25 venture was known as the SANS/CWE High 25 in earlier years, however the involvement or identify of the SANS Institute is not talked about on the CWE website.
High 10 of the CWE High 25
- #1: Out-of-bounds Write (CWE-787, rating 63.72)
- #2: Cross-site Scripting (XSS, formally Improper Neutralization of Enter Throughout Internet Web page Technology, CWE-79, rating 45.54)
- #3: SQL Injection (formally Improper Neutralization of Particular Parts utilized in an SQL Command, CWE-89, rating 34.27)
- #4: Use After Free (CWE-416, rating 16.71)
- #5: OS Command Injection (formally Improper Neutralization of Particular Parts utilized in an OS Command, CWE-78, rating 15.65)
- #6: Improper Enter Validation (CWE-20, rating 15.50)
- #7: Out-of-bounds Learn (CWE-125, rating 14.60)
- #8: Path Traversal (formally Improper Limitation of a Pathname to a Restricted Listing, CWE-22, rating 14.11)
- #9: Cross-Web site Request Forgery (CSRF, CWE-352, rating 11.73)
- #10: Unrestricted Add of File with Harmful Kind (CWE-434, rating 10.41)
Reminiscence administration errors and internet vulnerabilities prime the record
Probably the most impactful weak point by far is Out-of-bounds Write, which might enable for buffer overflows and different assaults that overwrite reminiscence, usually to realize code execution. Whereas solely doable in packages that use a language with direct reminiscence administration (most frequently C/C++), this weak point is a transparent #1 each by way of the aggregated rating and prevalence in recognized exploited vulnerabilities (see under for the CWE High 25 methodology). In complete, 5 kinds of reminiscence administration errors have made the record, together with three within the prime 10.
The #2 and #3 spots are occupied by cross-site scripting (XSS) and SQL injection – two of the oldest internet safety flaws which can be clearly not going away. When it comes to scores, the highest three are means forward of the rest on the record, with SQL injection scoring 34.27 and the following weak point lower than 17. Once more, this means that reported vulnerabilities (CVEs) ensuing from these flaws are each quite a few and extreme. There are a complete of 4 web-specific weaknesses on the record (additionally CSRF and SSRF) and at the least 10 different flaws which can be generally exploited in internet software assaults.
Notable adjustments since our final take a look at the record in 2021 embody huge upward strikes for a number of flaws typical of internet functions, with SQL injection shifting up from #6 to #3, server-side request forgery (SSRF) leaping 5 locations to #19, and command injection advancing from #25 to #16 as the largest single mover. In the direction of the top of the record, 4 CWEs have dropped off, together with XML exterior entity injection (XXE), whereas 4 others have moved into the highest 25, most notably code injection. Total, solely the ordering has modified within the prime 10, indicating that very comparable assault patterns are used, focusing on comparable weaknesses.
CWE vs. CVE – what’s the distinction?
Gadgets within the CWE database are varied software program and {hardware} weaknesses that, if carried out in manufacturing, can result in vulnerabilities. The CVE database, alternatively, lists recognized and reported vulnerabilities in particular merchandise. A standard safety weak point like SQL injection (CWE-89) might be listed as the reason for a whole lot of various CVEs involving an SQL injection assault (reminiscent of CVE-2023-34362 for MOVEit Switch).
Tl;dr: CWEs are what may go unsuitable. CVEs are what did go unsuitable.
Methodology: How the CWE High 25 scores are calculated
Work on the High 25 for 2023 began by mapping every of the 43,996 CVE data for vulnerabilities reported in 2021 and 2022 to at least one or a number of CWEs as root causes. Every time a selected CWE was a root trigger for a CVE, the rating for that CWE was elevated based mostly on the prevalence and severity of the CVE. The system used ensures that weaknesses solely get a excessive rating in the event that they result in vulnerabilities which can be each frequent and extreme. Particular focus was given to points from the Recognized Exploited Vulnerabilities (KEV) Catalog created in November 2021 by the Cybersecurity and Infrastructure Safety Company (CISA).
One necessary facet of the methodology is that, the place related, total assault chains are counted, not simply single root causes. If a reported CVE consists of an assault that exploits a couple of sort of weak point, that CVE might be counted for all of the CWEs. Most real-world assaults depend on chaining to escalate from preliminary entry to closing compromise, and each step alongside the best way is required for the assault to work – see our evaluation of the MOVEit Switch assault for a latest instance. Treating every weak point in a sequence as the foundation trigger gives a extra lifelike image of how software program flaws translate to vulnerabilities.
CWE High 25 vs. OWASP High 10
Each the CWE High 25 and the OWASP High 10 are compiled by analyzing CWEs and CVEs however differ in scope and methodology. The CWE High 25 applies to all kinds of software program and lists CWEs based mostly on the frequency and severity of ensuing CVEs. The OWASP High 10 is just for internet functions and goals to group CWEs into broader classes which can be then ranked. Current years have seen the OWASP High 10 threat classes turn out to be more and more high-level.
The massive image: Three frequent themes to look out for
There are numerous methods to slice and cube the highest CWEs, however all of the listed weaknesses fall into one in every of three broad classes:
- Reminiscence administration (6 CWEs): Programming in any language that permits direct reminiscence entry (mostly C/C++) all the time carries some threat of reminiscence administration flaws that attackers may exploit, normally with extreme penalties. This class consists of CWE-787, CWE-416, CWE-125, CWE-476, CWE-190, and CWE-119.
- Untrusted inputs (11 CWEs): Any enter that originates exterior the appliance or could possibly be in any other case managed by an attacker poses a safety threat that might enable for a profitable assault. This consists of not solely enter strings but additionally all uploads and all deserialized knowledge. CWE-79, CWE-89, CWE-78, CWE-20, CWE-22, CWE-352, CWE-434, CWE-502, CWE-77, CWE-918, and CWE-94 fall into this bucket.
- Entry administration (8 CWEs): Authorization, authentication, permissions, privileges – all these are about varied kinds of entry to methods, assets, or operations. Wonderful-grained entry management is extraordinarily onerous to design, implement, and match to precise utilization, and any failures can open the best way for attackers. This class of weaknesses consists of CWE-862, CWE-287, CWE-798, CWE-306, CWE-362, CWE-269, CWE-863, and CWE-276.
Making use of the CWE High 25 to enhance software safety
As a result of the CWE scores are straight correlated with CVEs from 2021 and 2022, the High 25 displays the foremost vulnerabilities reported throughout that interval. Accordingly, the record is skewed in favor of essentially the most extreme and widespread vulnerabilities, that are almost certainly to be reported. In case you browse the CVE database or (even higher) CISA’s KEV catalog, you’ll discover that almost all of extreme vulnerabilities are for varied community home equipment, with buffer overflows and different memory-access assaults generally listed as the foundation trigger. This explains the (continued) prime place of out-of-bounds writes, as such weaknesses are each extreme and reported in a comparatively giant proportion of CVEs.
The main sensible takeaways for software program builders correspond to the three overarching themes throughout the highest 25:
- In case you write in C/C++, make checking reminiscence administration routines a separate merchandise in your code evaluations, QA, and safety testing. This goes double for software program and firmware for embedded methods and community units, which makes a high-value goal whereas additionally being tougher to patch.
- For all software program, deal with all knowledge coming into your software as untrusted and validate it earlier than use. This consists of not solely anticipated consumer inputs and uploads but additionally inner databases (to keep away from SQL injection) and native information reminiscent of logs (to keep away from deserialization assaults).
- For all functions and particularly for all APIs, make fine-grained entry management a essential a part of design and testing, overlaying knowledge, software objects, and capabilities. This wants to start out with authentication and proceed with multi-level authorization that (ideally) spans all doable entry paths and flows.
For internet functions, the clear takeaway is to be sure to take a look at for and eradicate on the very least SQL injection and cross-site scripting flaws. With main CVEs at present beneath exploitation for each SQLi (like CVE-2023-34362 in MOVEit) and XSS (like CVE-2023-24488 in Citrix Gateway), systematic safety testing from improvement by staging and into manufacturing is a should.
To learn to construct safety testing into your software safety program, learn the free Invicti white paper on enterprise internet safety greatest practices.
