In late 2019, the US industry non-profit MITRE Corporation updated what has become possibly the most famous software security issue ranking in computing, the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors, which was originally launched in 2011 as a development of earlier lists.
The 2019 update represented a major upgrade in terms of the methodology behind it, as well as its usefulness for cybersecurity professionals. Where the 2011 list was created using more of an ad-hoc feedback from a relatively small number of experts and organizations, the more recent CWE Top 25 was based on hard data from NIST’s National Vulnerability Database (NVD) of 25,000 high-scoring Common Vulnerability and Exposure (CVE) entries from 2017 and 2018, combined with their industry Common Vulnerability Scoring System (CVSS) v3.0 ratings.
Resetting the CWE Top 25 for real-world relevance
The change of methodology is significant, so much so that it’s possible to argue that the 2019 CWE Top 25 lists represents almost a complete reset. Given how the software world has changed in the last decade, the reform is long overdue.
Where the original CWE Top 25 performed the important task of drawing people’s attention to important classes of software error, the 2019 update backs this up with the rigor of real-world data.
Making sense of the new CWE Top 25 requires untangling its moving parts, the first of which is simply understanding what it is measuring. The simplest answer is that it’s a list of the common classes of programming errors that cause defects when they occur in real software programs.
As MITRE explains: “These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working.”
Although this focus on classes of programming errors is not new, the way the classes are ranked is now based on more objective criteria. For example, the top-ranked weakness in the CWE Top 25 by some distance is Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) with a score of 75.56. This covers a wide range of common memory-related programming errors such as the classic memory buffer overflow, but what put CWE-119 at the top? As alluded to, it’s a simple mapping that tots up the number of CVE-level flaws with higher CVSS ratings - the more common a weakness, and the more severe the outcomes of that weakness, the higher the CWE placing.
The 2011 version had placed Improper Neutralization of Special Elements used in an SQL Command (SQL Injection), CWE-89, at the top of the worry list, which now drops to number six. This is not to say that CWE-89 is no longer prevalent or important. At the same time, in a single jump, the focus of anyone reading the list is redirected to different weaknesses. This makes the CWE Top 25 easier to understand and, for professionals tasked with the job of patching flaws, easier to act upon.
Software vendors or specific programs that have a lot of CWE weaknesses near the top of the list tell a story of its own. For instance, over time, should these weaknesses persist, software buyers can form their own judgments about the security design lifecycle and associated risks that they present.
The advantage of this new approach is that because is it based on real-world data rather than anecdotal reports, the CWE Top 25 becomes a measure of what matters most. Indeed, in light of the current Coronavirus/COVID-19 worldwide health emergency and the need for millions of people to work from home, the software security issues associated with remote access, VPN and teleworking, for example, become more important than ever.
For this reason, it is important to consider the need to create "localized" versions of the CWE rankings most applicable to a particular organization based some additional criteria, including the types of software components used and the types of sensitive data involved.
Attack sequences
Interestingly, the new CWE Top 25 might also have a longer-term influence on the way the industry views CVEs themselves. These were introduced by MITRE in the 1990s to identify public software vulnerabilities at a time when these had started to increase in number and frequency. This system is now an essential foundation for managing and patching vulnerabilities, but there is still a tendency to view CVE-level flaws as entities separate from one another.
Aligning them with the CWE ranking, which also considers criticality and causality, reveals deeper patterns that can help software companies prioritize their security development lifecycle going forward.
Another important and already established dimension of the CWE Top 25 is that it sets out not simply to identify and describe weaknesses, but to explain them in a real-world context. A good example of this is the idea of chains and composites. As its name suggests, this is a chain in a sequence of weaknesses in which the first gives rise to the conditions necessary for subsequent weaknesses. A composite, by contrast, is a combination of two or more separate weaknesses that must occur at the same time.
For cyber attacks to bundle up CVEs and weaknesses has been a common tactic in high-profile attacks for some time. One high-profile example is the infamous EternalBlue MS17-010 exploit that leveraged three different software security issues to accomplish remote code execution. What’s instructive is that the attackers needed each component for the others to work effectively, or at all.
This tells defenders something very important – while it’s important to patch all of the software security issues in a timely manner, with modern attacks, even if one of the related software security issues is patched, it can often be possible to disrupt the attack involving multiple vulnerabilities tied to different programming weaknesses.
As in its predecessors, in the 2019 CWE Top 25, this is expressed through CanPrecede and CanFollow relationships which allow security professionals to trace dependencies through CWE identifiers. Although not new as such, the revised design does make it possible to start with common and severe weaknesses near the top of the Top 25, connecting them to less common and less severe ones further down that might previously have been ignored as marginal examples.
What counts here is that the relationships between weakness classes is enhanced by being based on a ranking that reflects the vulnerability security teams experience.
A resource, not a prescription
As worthy as the 2019 reformulation might be, the CWE Top 25 was never intended to be enough on its own: it must always be used as a resource rather than a prescription. Also, it is important to keep in mind that the ranking may need to be adjusted based of the target environment and the types of the software components used as not all of the software security issues are applicable to all environments.
Still, the CWE Top 25 can work well as a map to give context to other systems for prioritizing software vulnerabilities such as CVEs. In a sense it operates as a mirror into the world of cybercriminal development which locks into common software problems, and gives defenders important clues to counter the problems. These should be figured into the context of what's critical for a given organization or environment and the software components used, so security teams stand the best chance at mitigating the biggest threats to their businesses.