CWE Top 25 2021. What is it, what is it for and how is it useful for static analysis?

For the first time PVS-Studio provided support for the CWE classification in the 6.21 release. It took place on January 15, 2018. Years have passed since then and we would like to tell you about the improvements related to the support of this classification in the latest analyzer version.

We position the PVS-Studio analyzer as a Static Application Security Testing (SAST) tool. This means our analyzer not only detects typos and errors in code, but also searches for potential vulnerabilities and correlates them with various standards (CWE, OWASP, SEI CERT, MISRA, AUTOSAR, etc.). Why potential vulnerabilities? Because potential vulnerabilities (CWE) may become real vulnerabilities (CVE) only if someone exploits them. And to make it happen many, sometimes unrelated, factors must often coincide.

That’s why we decided to check how well PVS-Studio covers the most common defects now. To do this, it’s enough to refer to the CWE Top 25 list. Somehow, we missed this list. Well, it’s time to make amends!

CWE. What this is and what it is for

Let’s refresh some moments and definitions in memory. If you’re already good at terminology and know the difference between CVE and CWE, why we need CVSS and how CWE Top 25 is ranked, you can skip this part. Otherwise, I strongly recommend that you refresh those terms before you read the article. Below is a rather free interpretation of some points of CWE FAQ and CVE FAQ:

How does a software defect differ from a software vulnerability?

Defects are errors, failures and other problems of implementation, design or architecture of the software that can lead to vulnerabilities.

Vulnerabilities are errors that have already been found by someone. Attackers may use these vulnerabilities to get access to a system or a network, to disrupt services, etc.

What is CWE? How is it different from CVE and what does CVSS have to do with it?

• CWE (Common Weakness Enumeration) is a general list of security defects.
• CVE (Common Vulnerabilities and Exposures) is a list of vulnerabilities and defects found in various software.
• CVSS (Common Vulnerability Scoring System) is a numerical score that indicates the potential severity of a vulnerability (CVE). It is based on a standardized set of characteristics.

What is CWE Top 25?

CWE Top 25 is a list of the most dangerous and common defects. These defects are dangerous because someone can easily find and exploit them. Attackers can use them to disrupt the application’s operation, steal data or even completely take over a system. CWE Top 25 is a significant community resource. It helps developers, testers, users, project managers, security researchers and teachers. They use this list to get an idea of the most common and dangerous security defects now.

What is an algorithm to compile and rank the CWE Top 25 list?

To create the current version of CWE Top 25, the CWE Team used data from U.D National Vulnerability Database (NVD) for 2019–2020. Next, the team of researchers used their own formula to calculate the ranking order. This formula takes into account the frequency, with which a defect (CWE) is the main cause of a vulnerability, and the potential danger of exploitation. The team made the formula that way, so it normalizes the frequency and predicted severity relative to their minimum and maximum values.

To obtain the frequency of mentions, the formula calculates how many times CVE referred to CWE within the NVD. The formula uses only those CVEs, which have a reference to CWE. If the formula uses the full data set, it will lead to very low frequency rates and an insignificant difference amongst the different types of defects.

Freq = {count(CWE_X’ ∈ NVD) for each CWE_X’ in NVD}

Fr(CWE_X) = (count(CWE_X ∈ NVD) — min(Freq)) / (max(Freq) — min(Freq))

Another important component of the scoring formula is a defect’s severity. The following formula calculates it:

Sv(CWE_X) = (average_CVSS_for_CWE_X — min(CVSS)) / (max(CVSS) — min(CVSS))

At the end, the final score is calculated by multiplying the frequency of mention by the severity score.

Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100

This approach introduces a bias by analyzing only detected vulnerabilities and can potentially exclude a significant part of data. Although, the CWE Team believes that this approach helps to compile a more accurate CWE Top 25 list every year.

Is the Top 25 updated annually?

Yes, it is. For information about previous versions, visit CWE Top 25 archive.

Who participates in the development of CWE Top 25?

The CWE community includes individual researchers and representatives of numerous organizations, the scientific community, and government agencies. They are all interested in elimination of software defects. You can get a list of CWE Team members on the “CWE Community Members” page.

Why should I know that?

Today, developers use CWE as the main tool when discussing the elimination and / or minimizing security defects in the architecture, design, code, and software implementation. Organizations use CWE as a standard measure for evaluating software security verification tools and as a common baseline standard for identifying, preventing, and minimizing negative consequences.

Can you give us examples of errors?

The CWE classification covers the most common problems with the development of software and various equipment. For example:

• software defects: buffer overflows; errors in format strings; structure and data validation problems; common special elements manipulation; channel and path errors; handler errors; UI errors; pathname traversal and equivalence errors; authentication errors; resource management errors; insufficient data verification; code evaluation and injection problems; randomness and predictability problems;
• hardware defects: core and computation errors typically associated with CPUs, graphics, Vision, AI, FPGA, and uControllers; privilege separation and access control issues related to the identification and policy, shared resources, locking controls, and other features and mechanisms; power, clock, and reset concerns related to voltage, electrical current, temperature, clock frequency control and state saving/restoring.

Read more about classification on the cwe.mitre.org website.

The situation today

We have been using the CWE classification for PVS-Studio diagnostics for more than three years. Their number increases every year. In 2018, we covered only 94 points on the CWE list. Now it’s almost 130. However, this article isn’t about the total number of diagnostics. Let’s talk about those that are included in the list of the most dangerous diagnostics in 2021. If you want to read the full list, you can get it in the “CWE compliance” section of our documentation.

Below is a table of correspondence between the CWE Top 25 2021 list and the PVS-Studio diagnostics, divided by programming languages. In the future, we are going to regularly update the table with the CWE Top 25 coverage on our website.

The table shows that PVS-Studio now covers 52% (13 out of 25) of the CWE Top 25 2021 list. It seems that 52% is not so much. However, we continue to develop diagnostics further. In the future we will be able to find even more defects. If we reduce this list to the 10 most dangerous and common defects, the picture becomes clearer — the total coverage grows to 80%. But this is a completely different story.

Changes in the CWE Top 25 over the past year

For the most sophisticated, I suggest looking at a brief statistic on movements in the CWE Top 25 over the past year.

The five biggest upshifts:

#CWE IDNamePosition in 2020Position in 2021Annual change1CWE-276Incorrect Default Permissions411922▲2CWE-306Missing Authentication for Critical Function241113▲3CWE-502Deserialization of Untrusted Data21138▲4CWE-862Missing Authorization25187▲5CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)31256▲

The five biggest downshifts:

#CWE IDNamePosition in 2020Position in 2021Annual change1CWE-200Exposure of Sensitive Information to an Unauthorized Actor72013▼2CWE-119Improper Restriction of Operations within the Bounds of a Memory Buffer51712▼3CWE-94Improper Control of Generation of Code (‘Code Injection’)172811▼4CWE-269Improper Privilege Management22297▼5CWE-732Incorrect Permission Assignment for Critical Resource16226▼

Most of the CWEs presented in the table above belong to categories that are difficult to analyze. We can explain their rating decline (and their appearance in this table). The community has improved its educational, instrumental, and analytical capabilities, thereby reduced the frequency of mentioning errors related to these categories.

«Newbies» in the Top 25:

#CWE IDNamePosition in 2020Position in 2021Annual change1CWE-276Incorrect Default Permissions411922▲2CWE-918Server-Side Request Forgery (SSRF)27243▲3CWE-77Improper Neutralization of Special Elements used in a Command (‘Command Injection’)31256▲

And in the end — the defects that were dropped out of the CWE Top 25 in 2021:

#CWE IDNamePosition in 2020Position in 2021Annual change1CWE-400Uncontrolled Resource Consumption23274▼2CWE-94Improper Control of Generation of Code (‘Code Injection’)172811▼3CWE-269Improper Privilege Management22297▼

Conclusion

I hope you enjoyed this article and understood the current terminology.

Fortunately, static analyzers help us fight potential vulnerabilities. Therefore, I suggest that you download and test the PVS-Studio static analyzer with your project. Maybe a couple of CWEs crept into your code and are about to become CVE

Additional links: