Last week the Common Weakness Enumeration (CWE) Team at MITRE published the latest Top 25 Most Dangerous Software Errors (CWE Top 25) list which updates a previous version from 2011, meaning this has been 8 years in the making.
The CWE Top 25 is a must-have reference point for cyber security professionals. It is based on real-world evidence of common software weaknesses, and can be used effectively to prioritise software testing and code review activities.
Why are software errors so important you might ask? Let me share a quote from this years’ BlackHat keynote talk by Dino Dai Zovi,
As software is eating the world, every company is becoming a software company.
Software has arguably never been as important as it is today. When you consider the advancements being made in machine learning and other impressive areas of data processing, these are mostly being driven by software innovation.
And who can deny that the DevOps movement (which is just on 10 years old) hasn’t changed the landscape of software engineering and deployment, technically and culturally. Modern enterprises that wish to be competitive in any market must embrace efficient software development practices with security “baked in” or they risk falling behind.
Let’s jump straight in and look at the latest CWE Top 25 list.
It’s worth noting that according to the scores given by the CWE Team (see the bar chart above) there are a large range of values, and #1 stands head and shoulders above the rest.
If you were only to consider the top 10 items you’d be covering over 76% of the total scores given, so let’s look only at those in more detail.
#1. Improper Restriction of Operations within the Bounds of a Memory Buffer
Otherwise known by the classic name of “buffer overflow” which you might have heard before. This is a class of error that can be used by an attacker to inject malicious code into a system (among many other things) – it is the wide range of exploitation made possible through this type of bug and the prevalence of it that makes it such a stand-out. If you remember the Heartbleed vulnerability from April 2014, then you’re already familiar with this general class of bug, and also this overlaps into #5 below too.
#2. Cross-site Scripting
Cross-site Scripting (whose acronym “XSS” continues to confuse many people) is in my view one of the most misunderstood and understated software errors. Extremely prevalent in many web sites and web applications (often ignored through lack of understanding the true potential impact), XSS allows all kinds of scenarios to unfold and comes in two main flavours – reflected and stored. It is at number two for a very good reason, and if you’ve been in the habit of glossing over XSS vulnerabilities in your environment, I suggest you research this particular type of error. Feel free to reach out to me if you want any further advice.
#3. Improper Input Validation
Computers are hard. Security is harder. And input validation is unbelievably hard! If you’re a programmer you know exactly what I’m talking about. A good chunk of software security errors continue to arise through poor input validation – that is, the ability for software to fully validate input strictly that does not allow any ambiguity or side-stepping of that validation – and it turns out it’s really hard to get right. Hence why this is number 3.
#4. Information Exposure (Disclosure)
Accidental exposure of information is a common error where some piece of information is disclosed unnecessarily – usually information that can give an attacker an advantage of some kind. In my experience, this is often caused by poor architecture and design or development practices, and sometimes a lack of training or awareness of basic precautions that need to be engineered properly within a security context.
#5. Out-of-bounds Read
As the description on this one states, “The software reads data past the end, or before the beginning, of the intended buffer.” – this is slightly different to a buffer overflow (but can also cause one as well) and if you’re a programmer you’d be familiar with index or array out of bounds issues.
#6. SQL Injection (previously #1 in 2011)
Interestingly, this error used to be the number 1 on the Top 25 in 2011. The fact it has dropped to number 6 is a great testament to the fact that as an industry we have all focussed on getting better at addressing this issue in the last few years. Yes, it’s still common, but many (still not all!) developers these days know they should write their code using database queries that are protected from basic string manipulation and injection issues.
#7. Use After Free
This type of error is a little more abstract that some of the others, and depends specifically on the programming language used, and is described as “Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.” – it is almost always a coding issue that often arises when a developer doesn’t understand which part of the code is supposed to be responsible for freeing system memory.
#8. Integer Overflow or Wraparound
This is a type bug that I’ve seen in some cases used to exploit arithmetic functions, which can include things like modifying financial transactions (in your favour) such as changing the price of items in a shopping cart! It happens when the developer doesn’t factor in exceptionally large calculation results that the computer can’t store in the space allocated (so the value wraps around on itself).
#9. Cross-Site Request Forgery
Known by the acronym CSRF, this type of error is a composite error made up of a number of other weaknesses all working together. In short, this type of error can be found in web applications that allow information to be submitted without any type of authentication (such as a request token for a form) – this can result in some trickery that causes unintended data to be submitted in an authenticated way. Basic web applications (usually built from ground up) often have this issue. Read more about it here.
#10. Path Traversal
This type of error occurs when software allows unintended access to a part of the filesystem through unexpected input. When directories are specified such as “.” or “..” or “../../../” incorrect handling in the code can sometimes allow access to files on a system that would otherwise be restricted. Path traversal is a common issue with web applications, and PHP.
In summary, I encourage you to study the full list of common software errors and understand the implications for each, https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html.
Until next time, stay safe out there.