After Eight Long Years, Welcome Top 25 Software Weaknesses by MITRE
- Receiving its first update since 2011 (which relied upon surveys and interviews), the 2019 CWE Top 25 list is data-driven and includes the list flaws from 2017 and 2018.
- Buffer overflow or "Improper Restriction of Operations within the Bounds of a Memory Buffer" was ranked top with a score of 75.56.
MITRE’s Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors is a demonstrative list of the most widespread and critical weaknesses that can be exploited by attackers to compromise software systems, hence devices.
In total, roughly 25,000 CVEs provided source data to get the list ready. Also, several thousand mismapped CVE entries were correct by CWE. Going forward, MITRE plans to evaluate mappings throughout the coming year and release a new list every year.
Approach used by the team: In the early versions of the list, the standard procedure would include gathering responses from organizations, where security analysts, researchers, and developers would participate. They would nominate and rank the weaknesses they considered to be the most widespread or essential.
The recent list of 2019 is data-driven and involves a more rigorous and statistical process. It leverages data to gauge the harm capacity of each weakness.
- The methodology involved pulling CVE-related data from within the US National Vulnerability Database (NVD), and accounting for frequency and average Common Vulnerability Scoring System (CVSS) score to determine rank.
- A scoring formula was applied to assess the level of frequency and danger each weakness presents.
Drew Buttner, software assurance lead of MITRE, told, "We wanted to go with a methodology that was more objective and based on what we're seeing in the real world."
Top Three Weaknesses and the scope of attack: According to the detailed report by the Cybersecurity and Infrastructure Security Agency (CISA), attackers can exploit these vulnerabilities to seize control over an affected system, steal sensitive data, or cause a DDoS attack.
- Buffer overflow or "Improper Restriction of Operations within the Bounds of a Memory Buffer", CWE-119, is the highest-ranking weakness. The weakness allows some languages a direct access to memory locations where read or write operations can be performed from outside. It was also near the top in 2011 list.
It could allow an attacker to execute malicious code, change the control flow, read sensitive data, and crash the system.
- "Improper Neutralization of Input During Web Page Generation", also known as cross-site scripting (XSS), CWE-79, with a score of 45.69 stands at the second position on the list. In this weakness, software incorrectly neutralizes (or doesn't neutralize) user-controllable input before it's placed on a web page.
Untrusted data may enter a web app leading to generating pages containing potentially malicious data. Malicious code may be injected into a browser session of the visitors to execute malicious script.
- Improper Input Validation, CWE-20, takes up third position with a score of (43.61). It occurs when software doesn't validate or improperly validates input. An attacker can write input unexpected by the application and affect a program's flow or tamper with data flow. Such actions may lead to hijacked software, elevated levels of control, or unwanted code execution.
Takeaway for you (Advisory): Users and admins are encouraged to review both the list and recommended mitigations that MITRE advises them to implement.
- Developers can use the list as a "priority cheat sheet.”
- Decision-makers must go through the security practices of the companies they're buying software from before they invest.
- Those using open source can better learn whether developers are paying attention to those weaknesses.