CWE releases the 25 most dangerous software defects in 2021

Abstract: CWE's 25 most dangerous software defects are an indicative list of the most common and most influential problems encountered by NVD in the past two years. CWE Top25 can help developers, testers and users, as well as project managers, security researchers and educators to gain insight into the most serious and current security vulnerabilities.

This article is shared from the Huawei Cloud Community " CWE Releases the 25 Most Dangerous Software Defects ", author: Uncle_Tom.

1. CWE 4.5 released

On July 20, CWE released the second version of this year, CWE 4.5. Compared with CWE 4.4, 4 defects and 1 view are added this time, and 139 important changes have been made to the names, descriptions and relationships of defects.

The main changes are:

• For CWE numbers that are no longer in use, "DEPRECATED:" is added before the name of the CWE. In this way, the user can know that the CWE number has been discontinued without looking at the status;

For example:

• The node "Content_History" that records CWE change records has been extended to the top-level nodes Views, Categories, and Weaknesses. In this way, you can clearly see the changes of each node during the evolution of the CWE version. For the introduction of CWE nodes, please refer to "Talking about the New View of CWE 4.2";
• In the language of language enumeration (LanguageNameEnumeration), Rust is added, so that Rust language is added to the application platform (Applicable_Platform) and sample (Demonstrative_Example) nodes. There are currently 29 languages enumerated by CWE, which basically cover the main development languages of our industry. From this change, we can also see that the Rust language is more and more used in the industry;

<xs:simpleType name="LanguageNameEnumeration">
        <xs:annotation>
            <xs:documentation>The LanguageNameEnumeration simple type contains a list of values corresponding to different source code languages.</xs:documentation>
        </xs:annotation>
        <xs:restriction base="xs:string">
            <xs:enumeration value="Ada"/>
            <xs:enumeration value="ASP"/>
            <xs:enumeration value="ASP.NET"/>
            <xs:enumeration value="Basic"/>
            <xs:enumeration value="C"/>
            <xs:enumeration value="C++"/>
            <xs:enumeration value="C#"/>
            <xs:enumeration value="COBOL"/>
            <xs:enumeration value="Fortran"/>
            <xs:enumeration value="F#"/>
            <xs:enumeration value="Go"/>
            <xs:enumeration value="HTML"/>
            <xs:enumeration value="Java"/>
            <xs:enumeration value="JavaScript"/>
            <xs:enumeration value="JSP"/>
            <xs:enumeration value="Objective-C"/>
            <xs:enumeration value="Pascal"/>
            <xs:enumeration value="Perl"/>
            <xs:enumeration value="PHP"/>
            <xs:enumeration value="Python"/>
            <xs:enumeration value="Ruby"/>
            <xs:enumeration value="Rust"/>
            <xs:enumeration value="Shell"/>
            <xs:enumeration value="SQL"/>
            <xs:enumeration value="Swift"/>
            <xs:enumeration value="VB.NET"/>
            <xs:enumeration value="Verilog"/>
            <xs:enumeration value="VHDL"/>
            <xs:enumeration value="XML"/>
            <xs:enumeration value="Other"/>
        </xs:restriction>
    </xs:simpleType>

• Added the image (<img>) node, so that the problem can be better described in CWE through image reference;

For example: CWE-1339 Insufficient Precision or Accuracy of a Real Number When explaining Jean-Michel Muller's real number accuracy calculation problem, the data changes are displayed in the form of graphs, which makes it easier to understand the problem.

• The four new defect nodes are:

  • CWE-1335: Incorrect Bitwise Shift of Integer
  • CWE-1336: Improper Neutralization of Special Elements Used in a Template Engine
  • CWE-1339: Insufficient Precision or Accuracy of a Real Number
  • CWE-1351: Improper Handling of Hardware Behavior in Exceptionally Cold Environments

• The new views are:

  • CWE-1337: Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
    

Below we will focus on the CWE-1337 25 most dangerous software defects of CWE in 2021, which security personnel are most concerned about.

2. The 25 most dangerous software defects in 2021

The 25 most dangerous software defects of CWE in 2021 are an indicative list of the most common and most influential problems encountered in the first two calendar years (2019-2020). These flaws are usually easy to find and exploit, and can allow attackers to completely take over the system, steal data, or prevent applications from running. CWE Top 25 can help developers, testers and users, as well as project managers, security researchers and educators to gain insight into the most serious and current security vulnerabilities.

The compilation of this data table utilizes the Common Vulnerabilities and Exposures (CVE) data in the National Vulnerability Database (NVD) of the National Institute of Standards and Technology (NIST), and the scores of the Common Vulnerability Scoring System (CVSS) and each CVE The records are correlated, and each weakness is scored according to its frequency and severity. The report scored and calculated the 32,500 CVE vulnerabilities included in the 2019-2020 NVD, and obtained the ranking of defects after normalization. The ranking algorithm takes into account the two parameters of frequency (prevalence) and severity (severity), to ensure that the frequency of occurrence is low, and the defects with low harm are not easy to appear in the rankings. Instead, the defects with high frequency and high harm appear in the rankings. In the leaderboard.

• The specific algorithm is detailed in "Talking about the new view of CWE 4.2"

2.1. The 25 most dangerous software defects of CWE in 2021

The CWE TOP25 this time is the third consecutive time that CWE has released TOP25 data since 2019. We can see the competition between the offensive and defensive parties on some important issues from the annual changes in the TOP25, which helps us as the defensive side to make advance technical reserves and emergency response measures for some key high-risk vulnerabilities in advance.

• CWE 2021 TOP25 main data
  
  

2.2. CWE TOP25 2021 vs 2020

Comparing CWE TOP25 2021 and 2020, some major changes have been made.

2.2.1. The most dynamic defect

• CWE-276 Incorrect Default Permissions: from 41 to 19
• CWE-306 Missing Authentication for Critical Function: from 24 to 11
• CWE-502 Deserialization of Untrusted Data: From 21 to 13
• CWE-862 Missing Authorization: from 25 to 18
• CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection'): from 31 to 25

2.2.2. The top 5 defects with the fastest decline

• CWE-200 Exposure of Sensitive Information to an Unauthorized Actor: from 7 to 20
• CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer: from 5 to 17
• CWE-94 Improper Control of Generation of Code ('Code Injection'): From 17 to 28
• CWE-269 Improper Privilege Management: From 22 to 29
• CWE-732 Incorrect Permission Assignment for Critical Resource: From 16 to 22

2.2.3. Defects of the new top 25

• CWE-276 Incorrect Default Permissions: from 41 to 19
• CWE-918 Server-Side Request Forgery (SSRF): from 27 to 24
• CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection'): from 31 to 25

2.2.4. Defects falling out of the top 25

• CWE-400 Uncontrolled Resource Consumption (Uncontrolled Resource Consumption): From 23 to 27
• CWE-94 Improper Control of Generation of Code ('Code Injection'): From 17 to 28
• CWE-269 Improper Privilege Management: From 22 to 29

3. Conclusion

• In today’s era of demon fighting, CWE Top25 can help us to further think about the demon’s attack direction and defense;
• Buffer overflow, input verification, and injection issues are still major security issues in the industry and require continuous attention;
• For the promotion of privacy protection awareness, the leakage of sensitive information can be controlled to a certain extent;
• Permission control is the focus of security attack and defense. In addition to privilege management, special attention must be paid to key functions and default permissions settings;
• In information storage and transmission, attention should be paid to the deserialization of untrusted data.

4. Reference

https://cwe.mitre.org/
https://cwe.mitre.org/data/reports.html

Click to follow and learn about Huawei Cloud's fresh technology for the first time~