2019 SANS/CWE Top 25 Most Dangerous Software Errors
Insight into the 2019 SANS/CWE Top 25 critical software errors, focusing on prevention and system security.
Introduction
The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a curated list of the most critical and prevalent software weaknesses. These weaknesses can lead to serious vulnerabilities in software, making it easy for attackers to exploit them. The consequences of these weaknesses can range from taking complete control over the software to stealing data or causing the software to malfunction. The CWE Top 25 serves as a valuable resource for software developers, testers, project managers, security researchers, and educators, providing insights into the most significant security threats in the software industry.
To compile the list, the CWE Team utilizes a data-driven approach, leveraging data from the Common Vulnerabilities and Exposures (CVE®) and National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). They also consider the Common Vulnerability Scoring System (CVSS) scores associated with each vulnerability. By applying a scoring formula, the CWE Team determines the prevalence and severity of each weakness. This data-driven approach allows for the generation of the CWE Top 25 on a regular basis with minimal effort.
The CWE Top 25
Below is a brief listing of the weaknesses in the 2019 CWE Top 25, including the overall score of each.
| Rank | ID | Name | Score |
|---|---|---|---|
| [1] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 75.56 |
| [2] | CWE-79 | Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') | 45.69 |
| [3] | CWE-20 | Improper Input Validation | 43.61 |
| [4] | CWE-200 | Information Exposure | 32.12 |
| [5] | CWE-125 | Out-of-bounds Read | 26.53 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') | 24.54 |
| [7] | CWE-416 | Use After Free | 17.94 |
| [8] | CWE-190 | Integer Overflow or Wraparound | 17.35 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 15.54 |
| [10] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') | 14.10 |
| [11] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') | 11.47 |
| [12] | CWE-787 | Out-of-bounds Write | 11.08 |
| [13] | CWE-287 | Improper Authentication | 10.78 |
| [14] | CWE-476 | NULL Pointer Dereference | 9.74 |
| [15] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 6.33 |
| [16] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 5.50 |
| [17] | CWE-611 | Improper Restriction of XML External Entity Reference | 5.48 |
| [18] | CWE-94 | Improper Control of Generation of Code ('Code Injection') | 5.36 |
| [19] | CWE-798 | Use of Hard-coded Credentials | 5.12 |
| [20] | CWE-400 | Uncontrolled Resource Consumption | 5.04 |
| [21] | CWE-772 | Missing Release of Resource after Effective Lifetime | 5.04 |
| [22] | CWE-426 | Untrusted Search Path | 4.40 |
| [23] | CWE-502 | Deserialization of Untrusted Data | 4.30 |
| [24] | CWE-269 | Improper Privilege Management | 4.23 |
| [25] | CWE-295 | Improper Certificate Validation | 4.06 |
Methodology
The 2019 CWE Top 25 is based on published CVE vulnerability data obtained from the NVD. The NVD supplements the CVE data with additional analysis and provides a CVSS score for each vulnerability. This data-driven approach creates an objective ranking of vulnerabilities based on publicly reported data.
To calculate the ranking, the CWE team used NVD data from 2017 and 2018, which included approximately twenty-five thousand CVEs. A scoring formula was developed that considers both the frequency and severity of each CWE. The frequency is calculated by determining how many times a CWE is mapped to a CVE within the NVD.
The severity component of the scoring formula is represented by the average CVSS score of all CVEs mapped to a particular CWE. The severity score is normalized relative to the minimum and maximum values seen.
The final score for each CWE is determined by multiplying the frequency score and severity score. This score represents the level of danger associated with a particular weakness.
There are several key properties of the scoring method. Weaknesses that are rarely exploited or have low impact will not receive a high score. Only weaknesses that are both common and have the potential to cause harm will receive a high score.
By using this methodology, the 2019 CWE Top 25 provides a comprehensive and reliable ranking of vulnerabilities. It is a valuable resource for understanding the current state of vulnerabilities in the real world.
The CWE Top 25 with Scoring Metrics
The following is the 2019 CWE Top 25 with relevant scoring information. It shows the number of entries related to each CWE in the NVD data set and the average CVSS score for each weakness.
| Rank | ID | NVD Count | Avg CVSS | Overall Score |
|---|---|---|---|---|
| [1] | CWE-119 | 3545 | 8.045 | 75.56 |
| [2] | CWE-79 | 3430 | 5.778 | 45.69 |
| [3] | CWE-20 | 2360 | 7.242 | 43.61 |
| [4] | CWE-200 | 2300 | 5.961 | 32.12 |
| [5] | CWE-125 | 1428 | 7.270 | 26.53 |
| [6] | CWE-89 | 977 | 9.129 | 24.54 |
| [7] | CWE-416 | 799 | 8.374 | 17.94 |
| [8] | CWE-190 | 867 | 7.679 | 17.35 |
| [9] | CWE-352 | 693 | 8.365 | 15.54 |
| [10] | CWE-22 | 759 | 7.275 | 14.10 |
| [11] | CWE-78 | 486 | 8.707 | 11.47 |
| [12] | CWE-787 | 510 | 8.169 | 11.08 |
| [13] | CWE-287 | 495 | 8.188 | 10.78 |
| [14] | CWE-476 | 572 | 6.834 | 9.74 |
| [15] | CWE-732 | 334 | 7.393 | 6.33 |
| [16] | CWE-434 | 239 | 8.549 | 5.50 |
| [17] | CWE-611 | 262 | 7.949 | 5.48 |
| [18] | CWE-94 | 230 | 8.637 | 5.36 |
| [19] | CWE-798 | 215 | 8.782 | 5.12 |
| [20] | CWE-400 | 288 | 6.980 | 5.04 |
| [21] | CWE-772 | 304 | 6.714 | 5.04 |
| [22] | CWE-426 | 215 | 7.823 | 4.40 |
| [23] | CWE-502 | 177 | 8.921 | 4.30 |
| [24] | CWE-269 | 226 | 7.332 | 4.23 |
| [25] | CWE-295 | 248 | 6.658 | 4.06 |
Please note that these rankings and scores are based on the data from the NVD data set for 2019.
Weaknesses On the Cusp
As per the 2019 scoring formula against the NVD dataset, the CWE team has identified weaknesses that scored just outside of the top 25. While these weaknesses may not be severe enough or prevalent enough to be included in the 2019 list, developers who have completed mitigation and risk decision-making on the 2019 CWE Top 25 should consider including these additional weaknesses in their software analysis. The following table displays the details of these weaknesses:
| Rank | ID | Name | NVD Count | Avg CVSS | Overall Score |
|---|---|---|---|---|---|
| [26] | CWE-835 | Loop with Unreachable Exit Condition ('Infinite Loop') | 218 | 6.610 | 3.53 |
| [27] | CWE-522 | Insufficiently Protected Credentials | 150 | 8.460 | 3.39 |
| [28] | CWE-704 | Incorrect Type Conversion or Cast | 143 | 8.484 | 3.25 |
| [29] | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition') | 187 | 6.740 | 3.11 |
| [30] | CWE-918 | Server-Side Request Forgery (SSRF) | 128 | 7.917 | 2.65 |
| [31] | CWE-415 | Double Free | 111 | 7.981 | 2.32 |
| [32] | CWE-601 | URL Redirection to Untrusted Site ('Open Redirect') | 159 | 6.141 | 2.31 |
| [33] | CWE-863 | Incorrect Authorization | 113 | 7.050 | 2.00 |
| [34] | CWE-862 | Missing Authorization | 92 | 7.491 | 1.76 |
| [35] | CWE-532 | Inclusion of Sensitive Information in Log Files | 90 | 7.064 | 1.59 |
| [36] | CWE-306 | Missing Authentication for Critical Function | 66 | 8.529 | 1.50 |
| [37] | CWE-384 | Session Fixation | 76 | 7.083 | 1.34 |
| [38] | CWE-326 | Inadequate Encryption Strength | 73 | 7.278 | 1.34 |
| [39] | CWE-770 | Allocation of Resources Without Limits or Throttling | 75 | 6.880 | 1.27 |
| [40] | CWE-617 | Reachable Assertion | 75 | 6.729 | 1.23 |
Please note that this list provides additional weaknesses for consideration and analysis. For more information and details, refer to the respective CWE-ID links provided in the table.
Limitations of the Methodology
There are several limitations to the data-driven approach chosen by the CWE Team.
Data Bias
The approach only uses data that was publicly reported and captured in NVD, which means vulnerabilities without CVE IDs are excluded. This includes vulnerabilities found and fixed before software release, in online services, or in bespoke software for a single organization. As a result, weaknesses leading to these types of vulnerabilities may be underrepresented in the 2019 CWE Top 25.
Even for vulnerabilities with a CVE, there is often insufficient information to accurately identify the exploited CWE. Software vendors usually describe the impact of the vulnerability without providing details of the vulnerability itself. Additionally, some CVE descriptions only cover how the entry is attacked, without indicating the associated vulnerability. This lack of detailed information makes it difficult to precisely map CWEs, and the CWE Team identified over 2,600 CVEs with insufficient details.
There is inherent bias in the CVE/NVD dataset due to the vendors reporting vulnerabilities and the programming languages they use. If a major contributor primarily uses C as its programming language, vulnerabilities commonly found in C programs are more likely to appear. This bias is mitigated by the scoring metric that considers average CVSS score along with the most frequently reported CWEs.
The CVE/NVD dataset is also biased towards certain types of weaknesses, as some vulnerability researchers and detection tools excel at finding specific weaknesses while struggling with others. As a result, certain types of weaknesses may be underrepresented in the 2019 CWE-Top 25.
Furthermore, gaps or mischaracterizations in the CWE hierarchy itself can lead to incorrect mappings. The CWE Team continually works on remapping to address these content gaps and issues.
Metric Bias
The metric used indirectly prioritizes implementation flaws over design flaws, as implementation flaws are more prevalent within individual software packages. For example, a web application may have numerous cross-site scripting (XSS) vulnerabilities due to its large attack surface, while only having one instance of using an insecure cryptographic algorithm.
Remapping Task
To analyze the CVE/NVD data, the CWE Team reviewed the CWE mappings of selected entries and remapped them to more appropriate CWE IDs. This involved using a broader range of CWE IDs and being stricter about labeling insufficient information. The remapping process was performed on thousands of CVE entries, resulting in a richer list of CWE IDs for NVD analysts to choose from. The remapped data was shared with NIST to update their CVE entries within NVD.
The remapping was done iteratively, and a more repeatable process was developed for future versions of the Top 25. The main activities involved remapping all CVE entries that were previously mapped to CWE categories. Instead of using categories, only weaknesses should be mapped. Automated keyword searches were also performed to find likely remaps to CWE entries that were not on NVD analysts' lists. Focus was placed on high-level CWE classes that could have more precise mappings.
Additionally, specific CVE entries were identified that indicated gaps in the CWE itself, where weaknesses did not have appropriate CWE mappings. The CWE-1003 view was updated to remove categories, ensure coverage with the most common CWE mappings, and change the structure to a hierarchy with only two levels.
What Changed
The 2019 CWE Top 25 list differs from the 2011 list in terms of approach. The 2011 list was created through surveys and interviews, while the 2019 list was based on real-world vulnerabilities found in the National Vulnerability Database (NVD).
Due to this change, there are a few notable differences in the weaknesses included in the CWE Top 25. One of the biggest changes is the inclusion of higher-level CWEs that represent broader types of errors. These include CWE-119, CWE-20, CWE-200, and CWE-287. These high-level weaknesses serve as parent categories for more specific weaknesses that appeared in previous Top 25 lists. For example, CWE-119 is the parent of CWE-120, which was ranked #3 in 2011 but is not found on the 2019 list.
There are also changes in the ranking of certain weaknesses within potential chains of vulnerabilities. For example, CWE-787, which was not present in the 2011 list, is ranked #12 in 2019. CWE-787 is often part of a chain that starts with CWE-120, which was ranked #3 in 2011.
Additionally, there are a few entries in the 2019 CWE Top 25 list that deserve attention. CWE-125 appears higher than expected at #5, possibly due to increased instances of complex exploit chains and improved detection methods after the Heartbleed vulnerability. CWE-417, CWE-611, and CWE-502 are new entries in the 2019 list at #7, #17, and #23, respectively, likely reflecting an increase in exploitation capability. Lastly, CWE-476 appears at #14 in 2019 but was not present in the 2011 Top 25, possibly due to the increased use of fuzzing.
Finally, CWE-20 and CWE-200 ranked #3 and #4, respectively, in the 2019 list. These are class level weaknesses that represent well-known secure coding problem areas. The CWE team acknowledges the potential need for more specific, lower-level weakness types in certain instances and aims to improve this in future versions of the CWE Top 25.