CWE/SANSTop 25 security vulnerabilities

CWE / SANS Top 25 Security Vulnerabilities

The 2021 Top CWE/SANS top 25 vulnerabilities was developed through surveys and individual interviews with developers, senior security analysts, researchers, and suppliers. 
The CWE Team compiled the list using published Common Vulnerabilities and Exposures data, CWE mappings from the National Vulnerability Database (NVD), and CVSS scores for each CVE. 
The severity of each flaw was then determined using a scoring algorithm. This data-driven approach can be used to automatically construct a CWE Top 25 list security vulnerabilities regularly.

What is a CWE vulnerability?

Software vulnerabilities and weaknesses are classified using the Common Weakness Enumeration (CWE), a categorization technique. An ongoing community project with the objectives of understanding software flaws and developing automated tools that can be used to discover, correct, and eliminate those problems is responsible for keeping it running. 
The is a brief list of the CWE top software coding errors identified.

Top 25 security vulnerabilities

1CWE-79Improper neutralization of input during web page generation.
2CWE-119Incorrect operation restriction within a memory buffer.
3CWE-416Use After Free
4CWE-200Information Exposure
5CWE-125Out-of-bounds Read
6CWE-89Improper Neutralization of Special Elements used in an SQL Command.
7CWE-20Improper Input Validation
8CWE-190Integer Overflow or Wraparound
9CWE-352Cross-Site Request Forgery (CSRF)
10CWE-22Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
11CWE-78Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
12CWE-787Out-of-bounds Write
13CWE-287Improper Authentication
14CWE-476NULL Pointer Dereference
15CWE-732Incorrect Permission Assignment for Critical Resource
16CWE-434Unrestricted Upload of File with Dangerous Type
17CWE-611Improper Restriction of XML External Entity Reference
18CWE-400Uncontrolled Resource Consumption
19CWE-426Untrusted Search Path
20CWE-94Improper Control of Generation of Code.
21CWE-772Missing Release of Resource after Effective Lifetime
22CWE-798Use of Hard-coded Credentials
23CWE-502Deserialization of Untrusted Data
24CWE-269Improper Privilege Management
25CWE-295Improper Certificate Validation

References & sources:
Moreover, each inclusion in the top 25 security vulnerabilities website includes extremely detailed techniques to prevent and repair developers to decrease and eliminate their security risks

What are the top 25 programming errors being the most dangerous?

1. Invalid input validation:

This CWE-20 error highlights a program’s data flow issues. If an application doesn’t check the data, it may end up in unexpected places.

  • This mistake affects programs that receive extrinsic data.
  • Attackers can use this mistake to execute arbitrary code or change data flow. Attackers can even inject harmful code into existing data to target confidential data.
  • A secure application will keep an organized message.

2. Out of boundaries:

The vulnerability value of CWE-125 is 26.53, which indicates its ubiquity in applications. This problem indicates that buffers of a system have no control over how much data a software consumes.

  • The hackers can exploit memory locations, read virtual addresses and other sensitive material.
  • If this error is identified, systems may crash.
  • Attackers frequently use butter overflows and segmentation faults to exploit this flaw.
  • Errors like these can occur in C and C++ code. To mitigate this risk, developers should employ input validation techniques.

3. Incorrect operation restriction within a memory buffer:

CWE-119 has the highest SANS top 25 scores of 75.56. In this error, the software can read over a buffer’s set boundary. An attacker can replace 64 memory bits, leading to malicious code.

  • These attacks damage security-critical data and damage memory of an application.
  • Vulnerabilities in this zone enable attackers to get sensitive data, modify control flows, crash devices, and execute arbitrary code.
  • The computer language, chip architecture, and platform influence these results. Support for memory management helps to reduce this problem.

4. Unauthorized users can access data via CWE-200. Cryptography timing errors are a primary information vulnerability. Exposed scripts may reveal a complete program.

  • Knowing the information exposed can anticipate the strength of these exposures.
  • An attacker can access private communication, financial data, company secrets, network setup, etc.
  • Designers and developers might construct ‘safe’ zones within their systems and restrict system privileges to mitigate this risk.

Read more about CWE/SANS and related topics: