Which software security issues should your company pay the most attention to? In August, government-funded researcher MITRE gave companies guidance by publishing its latest metric-based rankings of software errors.
The 2020 CWE Top 25 Most Dangerous Software Weaknesses report uses data from the National Vulnerability Database, which assigns one or more weaknesses to each vulnerability to create a score using an average of both frequency and relative severity for each CWE category. While the list was issued in 2020, the actual data comes from the prior two years.
The value of the list is that companies can use it to standardize developer education and make sure their software development processes are set to catch these issues, said Jonathan Knudsen, senior security strategist at software security firm Synopsys.
"We want people to be aware of these things so that developers don't make the same mistakes, but we also really need to focus on process. We really need to make sure that we are catching everything on this list before it goes into production."
—Jonathan Knudsen
Yet companies may not just want to start with vulnerability No. 1 and work their way down.
The top two issues in 2020 exemplify the impact of the two factors. Cross-site scripting (XSS) issues (CWE-79) are common, with 3,788 issues under that classification, but not generally severe, with an average Common Vulnerability Scoring System (CVSS) score of 5.8. However, allowing programs to write to what should be non-writable memory (CWE-787, or "out-of-bounds write") accounts for fewer issues—2,225, for the two years under consideration—but has a much higher severity, of 8.3.
Overall, the balance between how common a certain type of software error has become and the severity of those errors can serve to educate developers and application security professionals on where they need to spend their limited time.
Here are five lessons from MITRE's CWE list.
1. Most issues continue to be common
In 2020, XSS became the top weakness on the list, rising from its No. 2 slot in the previous year's scoring chart, while buffer overflows (CWE-119) dropped from No. 1 in the 2019 list to No. 5 this year.
However, while the exact order shifts from year to year, these issues are a perennial problem, said Chris Romeo, CEO and co-founder of Security Journey, a security education startup. In fact, eight of the top 10 weaknesses remained the same between 2019 and 2020. And the issues show up in other top vulnerability lists as well, he said.
"We’ve been battling cross-site scripting—No. 1 on the CWE list, No. 7 on OWASP Top 10 2017—and SQL injection—No. 6 on CWE, No. 1 on OWASP Top 10 2017—for decades, and yet they still exist near the top of this list."
—Chris Romeo
2. 'Dangerous' depends on your company
While the list combines severity and relative frequency of different CWEs to order the list of software weaknesses, severity alone may be a better measure for many companies. While SQL injection is the No. 6 most "dangerous" vulnerability on the list, the software weakness has the highest average CVSS score—8.98 for the dataset used in 2020, and 9.13 for the dataset used in 2019. Companies that have found SQL injection issues in their own code may want to move that issue to the top of their own lists.
The discussion of the list by MITRE outlines several biases in the rankings, including that vendors that report a lot of vulnerabilities will skew the list toward classes specific to the language they use in their development, which may not be applicable to another company.
"If one of the largest contributors to (the database) primarily uses C as its programming language, the weaknesses that often exist in C programs are more likely to appear. Fuzzing programs can be very effective against memory-based programs, so they may find many more vulnerabilities."
3. Don't try to tackle the whole list
Trying to take on 25 different issues can be overwhelming, but the magic of the Top 25 list is that vulnerabilities classes are already prioritized for the organization—at least by one specific metric. The list is clear about what factors are considered and how the score is calculated. The result: Companies can determine which software weaknesses are most applicable to their application-security program.
And they should. By focusing on one or two classes of vulnerabilities and making them a priority, development teams can try to eliminate them from their software, said Security Journey's Romeo.
"The takeaway here is that organizations need to make their own Top 25, and then build a plan to hyper-focus on eliminating a single class of vulnerability. Imagine a company where they have squashed XSS because they have libraries that enforce proper output encoding."
—Chris Romeo
4. Teaching is not enough
While the list is focused on code-level bugs, a lot of the issues have their foundation in bad design, so companies should make sure that their application-security program extends to the software design stage.
Yet educating developers is not enough. Even well-trained and knowledgeable developers make mistakes, so the development process needs to be designed to catch issues, said Synopsys' Knudsen.
"You can improve the security awareness of your developers and teach them mistakes they shouldn't make when they write new code, but ultimately they are human, so what you really need to be doing is improving the process around them. You need automated testing to catch these things."
—Jonathan Knudsen
5. A common threat in many classes
Finally, while the list has 25 specific weaknesses, many of those have a common factor: Failing to validate untrusted inputs to the program. If nothing else, companies need to train developers to never trust data coming from outside the code, said Romeo.
"A lack of proper input validation enables almost everything on this list. Stick to the fundamentals of input validation and output encoding, and you’ll eliminate many of these problems from your products and applications."
—Chris Romeo
In the end, the CWE Top-25 is a good start, but companies needs to customize the list to their own needs. While training developers is always good for security, building the list into your company's process will lead to better coverage and consistency.
Keep learning
The future is security as code. Find out how DevSecOps gets you there with TechBeacon's Guide. Plus: See the SANS DevSecOps survey report for key insights for practitioners.
Get up to speed fast on the state of app sec testing with TechBeacon's Guide. Plus: Get Gartner's 2021 Magic Quadrant for AST.
Get a handle on the app sec tools landscape with TechBeacon's Guide to Application Security Tools 2021.
Download the free The Forrester Wave for Static Application Security Testing. Plus: Learn how a SAST-DAST combo can boost your security in this Webinar.
Understand the five reasons why API security needs access management.
Learn how to build an app sec strategy for the next decade, and spend a day in the life of an application security developer.
Build a modern app sec foundation with TechBeacon's Guide.
