The SANS Institute designs numerous programs for the purpose of security professionals around the globe. This exceptional organization collectively brings the seasoned security practitioners in order to provide essential information security practices with security certification. In addition to the various research documents, this organization is also present at the core of the Internet Storm Centre.

The SANS Institute created the Common Weakness Enumeration (CWE)/ SANS 25 with ‘MITRE’ which is a non-profit research organization. This program defines software security vulnerabilities that are encountered by the software developers in the entire duration of the lifecycle of software development. With this very list, several organizations can remain vigilant on critical errors likely to have damaging effects on their software.

The qualified and professional CWE team did release the upgraded version of the Top 25 list. With the CWE mappings from (NIST), the National Institute of Standards and Technology, compilers utilized CVE data as well as a scoring system so as to determine the frequency of every weakness.

 

Rank ID Name Score 2020 Rank Change
CWE-787 Out-of-bounds Write 65.93 +1
CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 46.84 -1
CWE-125 Out-of-bounds Read 24.9 +1
CWE-20 Improper Input Validation 20.47 -1
CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 19.55 +5
CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 19.54 0
CWE-416 Use After Free 16.83 +1
CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.69 +4
CWE-352 Cross-Site Request Forgery (CSRF) 14.46 0
CWE-434 Unrestricted Upload of File with Dangerous Type 8.45 +5
CWE-306 Missing Authentication for Critical Function 7.93 +13
CWE-190 Integer Overflow or Wraparound 7.12 -1
CWE-502 Deserialization of Untrusted Data 6.71 +8
CWE-287 Improper Authentication 6.58 0
CWE-476 NULL Pointer Dereference 6.54 -2
CWE-798 Use of Hard-coded Credentials 6.27 +4
CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 5.84 -12
CWE-862 Missing Authorization 5.47 +7
CWE-276 Incorrect Default Permissions 5.09 +22
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 4.74 -13
CWE-522 Insufficiently Protected Credentials 4.21 -3
CWE-732 Incorrect Permission Assignment for Critical Resource 4.2 -6
CWE-611 Improper Restriction of XML External Entity Reference 4.02 -4
CWE-918 Server-Side Request Forgery (SSRF) 3.78 +3
CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) 3.58 +6

Source – https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html

Evaluation and Comment

The prime distinction between the two 2020 and 2021 CWE Top 25 is the constant transition to more particular weaknesses as countered to abstract, class-level shortcomings. A preliminary estimation insinuates that the percent of Base-level CWEs has reached 71% from a mere 60% of all 25 entries, and the percent of Class-level CWEs has fallen to 20% from 30% of entries. All other weakness levels such as compound, category, and variant are relatively unaffected.

Despite the fact that a few class-level weaknesses are yet existent on the list, they have decreased remarkably in the ranking, owing to the arrangement in the remapping task. This movement is anticipated to prolong in future years due to the fact that the community enhances its mappings to much more specific weaknesses.

Because of the relative deterioration of class-level weaknesses, more particular CWEs have budged up in order to take the place of the high-level classes, for example, CWE-78 (Improper Neutralization of Special Elements utilized in an ‘OS’ Command ), CWE-434 (Unrestricted Upload of File by means of Dangerous Type), CWE-22 (Improper constraint of a Pathname on to a Restricted Directory), CWE-862 (Missing Authorization), CWE-502 (Deserialization of Untrusted Data), CWE-306 (Absence of Authentication for Critical Function), CWE-276 (Improper Default Permissions). All the succeeding future movements will incredibly benefit the users that are trying to comprehend the genuine issues that can harm the present systems, as the 25 Team are certain of the fact that Base-level weaknesses are far more illuminating to stakeholders as compared to the Class-level weaknesses.

Ways to Get Rid of these Top 25 Software Errors

  1. SANS Application Security Courses

The SANS application security set of courses intends to instill security inside the minds of each and every developer around the world by offering world-class educational resources to strategize, develop, obtain, deploy, as well as manage secure software.

  1. Developer Security Awareness Guidance

The Security Awareness Developer product offers precise software security awareness training, all from the ease and comfort of the desk. Application security awareness Guidance encompasses more than 30 modules averaging 7-10 minutes in duration to augment learner retention and engagement.

  1. Regular posting on the SANS and MITRE Sites

MITRE retains the Common Weakness Enumeration (CWE) website, with the encouragement and support of the US ‘Department of Homeland Security’s National Cyber Security Division’, presenting comprehensive descriptions of the topmost 25 Software errors with authoritative direction for mitigating along with avoiding them.

  1. Safe Code

For the attainment of the Excellence in Code (members comprise EMC, Microsoft, Juniper, SAP, Nokia, and Symantec), the Software Assurance Forum has established two brilliant publications defining top-notch industry practices for software assurance as well as offering practical advice for the implementation of proven ways for secure software development.

  1. DHS Web Sites and Software Assurance Community Resources Site

As a division of DHS risk mitigation attempts to allow an incredible resilience of the cyber assets, the Software Assurance Program aims to decrease software vulnerabilities, lessen exploitation, and address methods to routinely attain, develop, and deploy trustworthy and reliable software products with estimated execution, and so as to enhance diagnostic capabilities to evaluate systems for the exploitable weaknesses.