CWE Top 25 2022. Overview of changes
The CWE Top 25 list reflects the most serious software security flaws. I suggest you familiarize yourself with the updated top in the review of changes over the past year.
We position the PVS‑Studio analyzer not only as a tool for finding errors in the code, but also as a tool for static application security testing (Static Application Security Testing, abbr. SAST). For a better understanding of trends and planning of diagnostic rules, there is nothing better than to look at the latest list of the most relevant security issues. There are several such lists, for example, OWASP Top 10, SANS Top 25and already mentioned earlier CWE Top 25.
By the way, last year we already wrote an overview of the changes in CWE Top 25 2021. If you wish, you can read it here.
A bit of theory
For a better understanding of the context, it does not hurt to brush up on the main points. To do this, I will briefly go over the following topics:
- how CVE differs from CWE;
- why CVSS is needed;
- what is NVD and KEV;
- how the CWE Top 25 ranks in 2022.
If you feel savvy in these matters, you can safely skip this section. The rest I recommend to read for the convenience of further reading. Further, a rather free translation and interpretation of some points CWE FAQ and CVE FAQ:
How is a “defect” (shortcoming) different from a software vulnerability?
Defects (weaknesses) are errors, failures and other problems in the implementation, design or architecture of software that can lead to vulnerabilities.
Vulnerabilities are bugs already found by someone that can be directly used by attackers to gain access to a system or network, disrupt services, and so on.
What is CWE, how is it different from CVE, what does CVSS have to do with it and where did KEV come from?
- CWE (Common Weakness Enumeration) scroll defects (deficiencies) of security.
- CVE (Common Vulnerabilities and Exposures) – scroll vulnerabilities found in the software.
- CVSS (Common Vulnerability Scoring System) is a numerical score showing the potential criticality of a vulnerability (CVE). It is based on a standardized set of characteristics.
- KEV (Known Exploited Vulnerabilities) – catalog known exploitable vulnerabilities.
And why should I even know about CWE?
Today, CWE is used as a primary tool when discussing the elimination and/or mitigation of security flaws in software architecture, design, code, and implementation. Organizations use CWE as a standard measure for evaluating software security testing tools and as a common baseline for identifying, preventing, and mitigating negative impacts.
What is CWE Top 25?
CWE Top 25 is a list of the most dangerous and common deficiencies. These flaws are dangerous because they are often easy to find and exploit. They can allow attackers to interfere with an application, steal data, or even completely take over the system. The CWE Top 25 is a valuable community resource that can help you get an idea of the most common and dangerous security flaws right now.
What is the algorithm for compiling and ranking the CWE Top 25 2022 list?
The main sources of information for the study this year were:
- US National Vulnerability Database (NVD) 2020-2021;
- the Cybersecurity and Infrastructure Security Agency (CISA) catalog of exploitable vulnerabilities (KEV) compiled in November 2021.
The team of researchers transformed the data obtained according to the method “View-1003” to reduce the specificity of entries. This will convert, for example, CWE‑122 (Heap-Based Buffer Overflow) to basic CWE‑787 (Out-of-Bounds Write). The following categories of entries have also been filtered:
- no CVSS score;
- marked as rejected;
- for which there is no CVE -> CWE mapping;
- belonging to the “CWE‑Other” and “NVD-CWE‑noinfo” categories.
Next, the research team applied their own formula to calculate the ranking order, taking into account the frequency with which any flaw (CWE) is the main cause of the vulnerability, and the potential danger of exploitation. Frequency and predicted severity are normalized to their minimum and maximum values. To calculate citation frequency, the formula counts how many times CVEs have referenced CWEs in the NVD database.
Freq = {count(CWE_X’ ∈ NVD) for each CWE_X’ in NVD}
Fr(CWE_X) = (count(CWE_X ∈ NVD) – min(Freq)) / (max(Freq) – min(Freq))
Another important component of the ranking formula is the flaw severity calculation, which is calculated using the formula:
Sv(CWE_X) = (average_CVSS_for_CWE_X – min(CVSS)) / (max(CVSS) – min(CVSS))
Well, at the end, the final score is calculated by multiplying the mention frequency score by the severity score.
Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100
In general, the data analysis methodology has not undergone significant changes this year. But next year, the authors are planning more significant changes. Here is some of them:
- the ability to create highly specialized lists, such as Top 25 for mobile applications, etc.;
- consider changing the metrics used to compile the list to reduce data bias (more);
- improve the View-1003 technique;
- use other normalization methods than View-1003;
- if possible, perform CVE -> CWE comparisons more frequently to reduce the number of one-time edits to the matching data.
For more information on the methodology for preparing and analyzing data, see additional information to research.
How big is the sample this year?
The data set for this year’s analysis included 37,899 CVEs discovered over the past two years.
Is the CWE Top 25 really updated every year?
Yes, the CWE Top 25 is updated annually. Previous editions of the CWE Top 25 can be viewed at archive.
Who is compiling the CWE Top 25?
The CWE community includes both individual researchers and representatives of numerous organizations, academia and government agencies interested in actively reducing and eliminating software deficiencies. A specific list of members of the CWE team can be viewed on the page “CWE Community Members“.
For more information on the classification, please visit the website. cwe.mitre.org.
State of affairs today
Below is a table of correspondence between the CWE Top 25 2022 list and PVS-Studio diagnostics, divided by programming languages. The most current table with CWE Top 25 coverage is always available look on our website.
As you can see from the table, at the moment the PVS-Studio static analyzer provides coverage 68% (17 out of 25) list of CWE Top 25 2022. Last year, this figure was 52%. Quite a significant improvement in coverage over the year, and in many respects this is the merit of a large number of SAST-oriented diagnostics, issued in the past year.
Changes in the last year
Biggest moves up:
The largest movements down:
Newbies in Top 25:
And finally, the defects that dropped out of the CWE Top 25 in 2022:
Brief summary of the changes:
- the first ten places in the top remain fairly stable;
- CWE‑787 (Out-of-bounds Write) still holds the lead;
- CWE‑502 (Deserialization of Untrusted Data) and CWE‑862 (Missing Authorization) are steadily rising year by year;
- this year, CWE‑362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)), broke into the top, having immediately risen by 11 points compared to last year;
- CWE‑306 (Missing Authentication for Critical Function), which appeared in 2020 and soared sharply last year, has lost its position in the current year;
- CWE‑522 (Insufficiently Protected Credentials) was the largest downward movement, which fell down by 17 points at once.
Overboard
As a bonus, let’s take a look at what flaws fell below the main CWE Top 25 list in 2022 and may well rise in 2023:
Although these shortcomings were not included in the main list, they are still important. under favorable circumstances, they can become full-fledged vulnerabilities.
Conclusion
I hope that this material was interesting for you, and maybe helped you understand the current terminology.
Fortunately, static analyzers help in the fight against potential vulnerabilities, and therefore, by tradition, I would like to invite you to download and try check your project static analyzer PVS-Studio. Suddenly, a couple of CWEs crept into your code, which are just waiting for the right moment to become full-fledged CVEs 🙂
