September 2019 saw the first update of the CWE/SANS Top 25 Most Dangerous Software Errors list since 2011. Unlike previous lists, it was calculated by analyzing actual reported vulnerabilities to determine their underlying weaknesses, so it is especially valuable for developers and software security professionals. Let’s have a look at the top-rated software weaknesses and see how they apply in practice to web application security.
How the 2019 Top 25 List Was Prepared
The CWE classification, or Common Weakness Enumeration, describes typical software errors that may lead to vulnerabilities. In the 2011 Top 25 list, weaknesses were ranked based on feedback from industry experts. In contrast, the CWE Top 25 for 2019 was put together by analyzing high-scoring vulnerabilities reported in 2017 and 2018 in NIST’s National Vulnerability Database (NVD). This meant determining their root cause, assigning them to weakness categories, and calculating overall scores. The highest scores were assigned to high-impact errors that are frequently made and easily exploited, so the 2019 list not only provides valuable information on the current state of software security, but can also serve as a quick reference guide for developers, administrators, and educators.
10 Most Dangerous Errors of 2019
Memory Management, Input Validation, and Information Access
As with previous lists of weaknesses and vulnerabilities, many errors are still related to memory management and input validation. The top danger by far, with an overall score of 75.56, is improper restriction of memory buffer operations, which can include buffer overflows, over-reads, and overruns. While commonly associated with lower-level languages that directly access memory, most notably C/C++, memory management errors can also affect applications and systems that rely on external libraries. An incorrect calculation of buffer size or a missing bounds check in a popular library can have serious consequences downstream, as demonstrated by the Heartbleed vulnerability. Other memory management errors that made the list include use after free, out-of-bounds read and write (CWE-787), and NULL pointer dereference (CWE-476).
9 of the top 25 items are related to untrusted inputs, including cross-site scripting (second overall score of 45.69), improper input validation (third place with 43.61), SQL injection, OS command injection (CWE-78), directory traversal, or the unrestricted upload of files of a dangerous type (CWE-434). This serves as a reminder that software inputs come in all shapes and sizes, and any input that could conceivably be generated or modified outside the application should be properly validated.
The last major error category is information access security. This includes weaknesses such as information exposure, where a program reveals more data than should be accessible to the user, and authentication and validation errors, such as improper authentication (CWE-287), incorrect permission assignment (CWE-269), and the use of hard-coded credentials (CWE-798). The presence of this class of errors in the top 25 confirms the high impact of data disclosure vulnerabilities and shows that information security must be considered at all stages of development and deployment.
Changes Since the 2011 Top 25
Despite changes in methodology compared to the 2011 Top 25 list, we can see many familiar issues still there, with buffer overflows, SQL injection, and cross-site scripting all making the top 10 again. (Note that in 2011, CWE-120 was listed for “Buffer Copy without Checking Size of Input”, or classic buffer overflow, while CWE-119 is a broader class of buffer-related errors.) Interestingly, many technical weaknesses have moved off the radar and are no longer listed for 2019, including:
- CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- CWE-311: Missing Encryption of Sensitive Data
- CWE-759: Use of a One-Way Hash without a Salt
- CWE-829: Inclusion of Functionality from an Untrusted Control Sphere (use of untrusted code)
- CWE-601: URL Redirection to Untrusted Site (open redirect)
- CWE-494: Download of Code Without Integrity Check
- CWE-676: Use of Potentially Dangerous Function
- CWE-134: Uncontrolled Format String
This could be a sign of improving security practices and more effective vulnerability management, as organizations and developers increasingly rely on specialized libraries and move away from brew-your-own implementations, especially for cryptography. However, many changed items correspond to the same basic issues – for example, CWE-807 “Reliance on Untrusted Inputs in a Security Decision” is not among the top weaknesses for 2019, but could still be a factor for vulnerabilities resulting from improper input validation.
Critical Errors for Web Application Security
The SANS list was compiled based on all reported vulnerabilities, not just those that affect web applications. However, by comparing it with the OWASP Top 10 Most Critical Web Application Security Risks for 2017, we can see some common themes. Unsurprisingly, the low-level memory management issues don’t directly apply to web development, where higher-level languages are used, but they make it into the OWASP list indirectly as “Using Components with Known Vulnerabilities”. However, as with the SANS list, issues related to input validation and data access security dominate, with injection vulnerabilities topping the OWASP list. Cross-site scripting is also present in both lists, as are XXE vulnerabilities (officially CWE-611 “Improper Restriction of XML External Entity Reference”).
Increased reliance on external libraries and frameworks, especially open source solutions, has improved many aspects of web application security – but at a price. If a vulnerability is found in a popular library, thousands of systems and applications can suddenly be open to attack. To ensure that existing and emerging threats are addressed, it’s vital to regularly scan your applications using an industrial-strength vulnerability scanner that can provably detect a wide array of vulnerabilities, including SQL Injection, Cross-site Scripting, XML External Entity Injection, and Command Injection.