MITRE today published a draft of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors, a list of the most widespread and critical weaknesses that could lead to severe software vulnerabilities, as the organization explained a release on the news.
Attackers can often exploit these vulnerabilities to assume control over an affected system, steal sensitive data, or cause a denial-of-service condition, the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory on the list. Users and admins are encouraged to review both the list and recommended mitigations that MITRE advises them to implement.
The Top 25 is a community resource for software developers, testers, customers, project managers, security researchers, and educators exploring common threats in software. This year, the team took a new approach to generating the list. The methodology involved pulling CVE-related data from within the US National Vulnerability Database (NVD) and accounting for frequency and average Common Vulnerability Scoring System (CVSS) score to determine rank. A scoring formula was used to assess the level of frequency and danger each weakness presents.
This list historically has been compiled by gathering survey responses from a broad group of organizations and by collecting feedback from security analysts, researchers, and developers. Industry pros were asked to nominate weaknesses they considered to be the most widespread or important; a customized part of the CVSS was used to decide on the ranking of each weakness.
"There were a number of positives in this approach, but it was also labor-intensive and subjective," MITRE says. The 2019 list involves a more rigorous and statistical process; instead, it leverages data about reported vulnerabilities to gauge the dangerousness of each weakness.
"We wanted to go with a methodology that was more objective and based on what we're seeing in the real world," says Drew Buttner, MITRE software assurance lead. The 2019 Top 25 includes flaws from 2017 and 2018 and reflects efforts by the CWE team to correct several thousand mismapped CVE entries. MITRE plans to evaluate mappings throughout the coming year for its upcoming 2020 list. This year's Top 25 is the first release of the list since 2011, Buttner points out, but MITRE's goal going forward is to release a new list for each year.
2019's Top Weaknesses
There were no surprises in this year's Top 25, agree Buttner and Chris Levendis, MITRE CWE project leader. "A lot of the top weaknesses continue to be in the list, and we continue to see them even as 10 years have passed," Buttner notes. While weaknesses toward the end of the list have fallen out in favor of new ones, the top weaknesses generally remain the same.
The highest-ranking weakness, with a score of 75.56, is CWE-119, buffer overflow or "Improper Restriction of Operations within the Bounds of a Memory Buffer." Some languages allow direct addressing of memory locations and don't automatically ensure locations are valid for the memory buffer being referenced. This can cause read or write operations to be performed on memory locations linked to data structures or internal program data. An attacker could execute malicious code, change the control flow, read sensitive data, or crash the system.
Buttner and Levendis anticipated buffer overflow would be near top of the list, as it was also near the top in 2011 and it's a well-known weakness throughout the industry.
Next-highest is CWE-79, "Improper Neutralization of Input During Web Page Generation" or cross-site scripting, with a score of 45.69. Software doesn't neutralize, or incorrectly neutralizes, user-controllable input before it's placed in output later used as a web page served to other users. Untrusted data may enter a web app and ultimately execute malicious script.
Number three is CWE-20, or Improper Input Validation, which exists when software doesn't validate or improperly validates input that can affect a program's control flow or data flow. An attacker can write input not expected by the application. This can lead to parts of the system receiving unexpected input, which may cause arbitrary code execution or altered control flow.
Software users can use the Top 25 list to gauge the security practices of the companies they're buying software from before they invest, Levendis says. Those using open source can better learn whether developers are paying attention to those weaknesses, and developers can use the list as a "priority cheat sheet" consisting of weaknesses they should be keeping an eye on.
He adds: "At the most fundamental level, that's what you can use the weaknesses for if you're a consumer of software."