The SANS Institute designs numerous programs for the purpose of security professionals around the globe. This exceptional organization collectively brings the seasoned security practitioners in order to provide essential information security practices with security certification. In addition to the various research documents, this organization is also present at the core of the Internet Storm Centre.
The SANS Institute created the Common Weakness Enumeration (CWE)/ SANS 25 with ‘MITRE’ which is a non-profit research organization. This program defines software security vulnerabilities that are encountered by the software developers in the entire duration of the lifecycle of software development. With this very list, several organizations can remain vigilant on critical errors likely to have damaging effects on their software.
The qualified and professional CWE team did release the upgraded version of the Top 25 list. With the CWE mappings from (NIST), the National Institute of Standards and Technology, compilers utilized CVE data as well as a scoring system so as to determine the frequency of every weakness.
| Boudouaou Rank | ID | Name | Score | 2020 Rank Change |
| [1] | CWE-787 | Out-of-bounds Write | 65.93 | +1 |
| [2] | CWE-79 | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) | 46.84 | -1 |
| [3] | CWE-125 | Out-of-bounds Read | 24.9 | +1 |
| [4] | CWE-20 | Improper Input Validation | 20.47 | -1 |
| [5] | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) | 19.55 | +5 |
| [6] | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) | 19.54 | 0 |
| [7] | CWE-416 | Use After Free | 16.83 | +1 |
| [8] | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) | 14.69 | +4 |
| [9] | CWE-352 | Cross-Site Request Forgery (CSRF) | 14.46 | 0 |
| [10] | CWE-434 | Unrestricted Upload of File with Dangerous Type | 8.45 | +5 |
| [11] | CWE-306 | Missing Authentication for Critical Function | 7.93 | +13 |
| [12] | CWE-190 | Integer Overflow or Wraparound | 7.12 | -1 |
| [13] | CWE-502 | Deserialization of Untrusted Data | 6.71 | +8 |
| [14] | CWE-287 | Improper Authentication | 6.58 | 0 |
| [15] | CWE-476 | NULL Pointer Dereference | 6.54 | -2 |
| [16] | CWE-798 | Use of Hard-coded Credentials | 6.27 | +4 |
| [17] | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 5.84 | -12 |
| [18] | CWE-862 | Missing Authorization | 5.47 | +7 |
| [19] | CWE-276 | Incorrect Default Permissions | 5.09 | +22 |
| [20] | CWE-200 | Exposure of Sensitive Information to an Unauthorized Actor | 4.74 | -13 |
| [21] | CWE-522 | Insufficiently Protected Credentials | 4.21 | -3 |
| [22] | CWE-732 | Incorrect Permission Assignment for Critical Resource | 4.2 | -6 |
| [23] | CWE-611 | Improper Restriction of XML External Entity Reference | 4.02 | -4 |
| [24] | CWE-918 | Server-Side Request Forgery (SSRF) | 3.78 | +3 |
| [25] | CWE-77 | Improper Neutralization of Special Elements used in a Command (‘Command Injection’) | 3.58 | +6 |
Source – https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html
Evaluation and Comment
The prime distinction between the two 2020 and 2021 CWE Top 25 is the constant transition to more particular weaknesses as countered to abstract, class-level shortcomings. A preliminary estimation insinuates that the percent of Base-level CWEs has reached 71% from a mere 60% of all 25 entries, and the percent of Class-level CWEs has fallen to 20% from 30% of entries. All other weakness levels such as compound, category, and variant are relatively unaffected.
Despite the fact that a few class-level weaknesses are yet existent on the list, they have decreased remarkably in the ranking, owing to the arrangement in the remapping task. This movement is anticipated to prolong in future years due to the fact that the community enhances its mappings to much more specific weaknesses.
Because of the relative deterioration of class-level weaknesses, more particular CWEs have budged up in order to take the place of the high-level classes, for example, CWE-78 (Improper Neutralization of Special Elements utilized in an ‘OS’ Command ), CWE-434 (Unrestricted Upload of File by means of Dangerous Type), CWE-22 (Improper constraint of a Pathname on to a Restricted Directory), CWE-862 (Missing Authorization), CWE-502 (Deserialization of Untrusted Data), CWE-306 (Absence of Authentication for Critical Function), CWE-276 (Improper Default Permissions). All the succeeding future movements will incredibly benefit the users that are trying to comprehend the genuine issues that can harm the present systems, as the 25 Team are certain of the fact that Base-level weaknesses are far more illuminating to stakeholders as compared to the Class-level weaknesses.
Ways to Get Rid of these Top 25 Software Errors
- SANS Application Security Courses
The SANS application security set of courses intends to instill security inside the minds of each and every developer around the world by offering world-class educational resources to strategize, develop, obtain, deploy, as well as manage secure software.
- Developer Security Awareness Guidance
The Security Awareness Developer product offers precise software security awareness training, all from the ease and comfort of the desk. Application security awareness Guidance encompasses more than 30 modules averaging 7-10 minutes in duration to augment learner retention and engagement.
- Regular posting on the SANS and MITRE Sites
MITRE retains the Common Weakness Enumeration (CWE) website, with the encouragement and support of the US ‘Department of Homeland Security’s National Cyber Security Division’, presenting comprehensive descriptions of the topmost 25 Software errors with authoritative direction for mitigating along with avoiding them.
- Safe Code
For the attainment of the Excellence in Code (members comprise EMC, Microsoft, Juniper, SAP, Nokia, and Symantec), the Software Assurance Forum has established two brilliant publications defining top-notch industry practices for software assurance as well as offering practical advice for the implementation of proven ways for secure software development.
- DHS Web Sites and Software Assurance Community Resources Site
As a division of DHS risk mitigation attempts to allow an incredible resilience of the cyber assets, the Software Assurance Program aims to decrease software vulnerabilities, lessen exploitation, and address methods to routinely attain, develop, and deploy trustworthy and reliable software products with estimated execution, and so as to enhance diagnostic capabilities to evaluate systems for the exploitable weaknesses.
