8/6/2019 The CWE SANS Top 25 Most Dangerous Software Errors Announced-Along With a New Set of Standards

1/2

The CWE/SANS Top 25 Most Dangerous Software

Errors Announced Along With a New Set of StandardsIn a new and revised format, SANS along with MITRE has published the latest list of the highest risk software securityvulnerabilities; the revision to the list is based on the CWE, CWSS and CWRAF security standards. The announcement

leverages and highlights these new standards and collaboration efforts among the security community (includingcorporate, non-profit and government entities). As this announcement publicizes some new standards efforts that manyof us will undoubtedly hear a lot about in the coming months, I thought it made sense to leverage theCWE/SANS Top 25

Most Dangerous Software Errorslist to put these other standards in context.

First, lets summarize the standards.

CVE List

Before diving into these other standards, its perhaps best to start with the CVE list. The Common Vulnerabilities andExposures (CVE) List was started by the MITRE Corporation, a non-profit think tank, in 1999. The CVE List is free

(http://cve.mitre.org) and publicly available and creates a standardized set of identifiers for common vulnerabilities andexposures. The List provides common identifiers so automated tools, such as vulnerability scanners and patchmanagement systems can exchange vulnerability data using unique identifiers. You can think of the CVE List as the

master set of security vulnerabilities. CVE numbers have become the interoperability standard amongst security vendors.

CWE List

Where the CWE list is a complete list of individual vulnerabilities, the Common Weakness Enumeration (CWE) provides acategorical view describing classifications of risk. The CWE List can be thought of as a taxonomy of vulnerabilitycategories such that unique vulnerabilities in various software systems can be categorized. As such there are many moreunique software vulnerabilities than categories that classify them. For example, the CVE List has almost 50,000 entries

while the CWE List has only 870.

Common Weakness Scoring System (CWSS)

The CWSS provides a consistent method by which vulnerabilities can be scored. This would potentially address, forexample, (at least in theory) a big problem with automated vulnerability scanners: they tend to create reams of outputwithout any context as to what is important in a given environment. Given that every environment is unique, its difficultfor automated software processes to programmatically determine the relevance of a particular instance of a vulnerability.

The CWSS would provide a repeatable approach to determine the relevance of risk as well as provide a way toquantifiably measure unaddressed vulnerabilities.

Common Weakness Risk Analysis Framework (CWRAF)

The CWRAF provides a method for organizations to customize the application of the CWSS to account for their particularbusiness and technology environments. So as the CWSS provides a repeatable process to score vulnerabilities, the

CWRAF provides a repeatable way for organizations to apply the CWSS to their own unique business environments

So whats all this got to do with the CWE/SANS Top 25?

Well, perhaps nothing. The list itself is a prioritized list of the top 25 security weaknesses in software as a function ofprevalence, probability of exploitation, and importance. The list is a great resource for any IT or security professional thatwants to focus their efforts on the most important issues. Considering that every organization has security risk (an often

http://www.redspin.com/blog/2011/06/28/the-cwesans-top-25-most-dangerous-software-errors-announced%e2%80%a6-along-with-a-new-set-of-standards/http://www.redspin.com/blog/2011/06/28/the-cwesans-top-25-most-dangerous-software-errors-announced%e2%80%a6-along-with-a-new-set-of-standards/http://www.redspin.com/blog/2011/06/28/the-cwesans-top-25-most-dangerous-software-errors-announced%e2%80%a6-along-with-a-new-set-of-standards/http://cwe.mitre.org/top25/#Listinghttp://cwe.mitre.org/top25/#Listinghttp://cwe.mitre.org/top25/#Listinghttp://cwe.mitre.org/top25/#Listinghttp://cve.mitre.org/http://cve.mitre.org/http://cwe.mitre.org/http://cwe.mitre.org/http://cwe.mitre.org/cwss/index.htmlhttp://cwe.mitre.org/cwraf/index.html#overviewhttp://cwe.mitre.org/cwraf/index.html#overviewhttp://cwe.mitre.org/cwraf/index.html#overviewhttp://cwe.mitre.org/cwss/index.htmlhttp://cwe.mitre.org/http://cve.mitre.org/http://cwe.mitre.org/top25/#Listinghttp://cwe.mitre.org/top25/#Listinghttp://www.redspin.com/blog/2011/06/28/the-cwesans-top-25-most-dangerous-software-errors-announced%e2%80%a6-along-with-a-new-set-of-standards/http://www.redspin.com/blog/2011/06/28/the-cwesans-top-25-most-dangerous-software-errors-announced%e2%80%a6-along-with-a-new-set-of-standards/

8/6/2019 The CWE SANS Top 25 Most Dangerous Software Errors Announced-Along With a New Set of Standards

2/2

plenty of it) and IT resources are limited, keeping focused on the important issues is incredibly important in a structuredrisk management program. But what about CVE, CWE, CWSS, CWRAF.? So its not the CWE/SANS Top 25 list that has

to do with these standards, its more that this alphabet soup of standards is how the Top 25 list was created. SANSworked with MITRE along with security experts worldwide to compile the list. While experts in the field often work withindividual CVE identifiers, the TOP 25 list is based on CWE categories. The list is prioritized based on the scores that were

calculated based on the CWSS. Specific industries and organizations could customize the scoring using the CWRAF.

Below is the current CWE/SANS Top 25 Most Dangerous Software Errors list. Notice how CWE categories are referencedas opposed to CVE numbers or ad hoc categories, and the CWSS score is used for prioritization.

1. 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (SQL Injection)2. 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command (OS Command Injection)3. 79.0 CWE-120 Buffer Copy without Checking Size of Input (Classic Buffer Overflow)4. 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation (Cross-site Scripting)5. 76.9 CWE-306 Missing Authentication for Critical Function6. 76.8 CWE-862 Missing Authorization7. 75.0 CWE-798 Use of Hard-coded Credentials8. 75.0 CWE-311 Missing Encryption of Sensitive Data9. 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type10.73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision11.73.1 CWE-250 Execution with Unnecessary Privileges12.70.1 CWE-352 Cross-Site Request Forgery (CSRF)13.69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)14.68.5 CWE-494 Download of Code Without Integrity Check15.67.8 CWE-863 Incorrect Authorization16.66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere17.65.5 CWE-732 Incorrect Permission Assignment for Critical Resource18.64.6 CWE-676 Use of Potentially Dangerous Function19.64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm20.62.4 CWE-131 Incorrect Calculation of Buffer Size21.61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts22.61.1 CWE-601 URL Redirection to Untrusted Site (Open Redirect)23.61.0 CWE-134 Uncontrolled Format String24.60.3 CWE-190 Integer Overflow or Wraparound25.59.9 CWE-759 Use of a One-Way Hash without a Salt

Overall, we applaud this effort; both the list and the accompanying standards. Any effort that prioritizes risk and providesa systematic and repeatable process to do so is a big boost for enterprise security. In the short term, the value of thesemethodologies will surely be a function of the capabilities and dedication of those that use them (the garbage in

garbage out rule will still apply), but any methodology that adds some structure to security risk analysis is a worthy effort

WEB PHONE EMAIL

WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

http://new%20folder/Letterhead/WWW.REDSPIN.COMhttp://new%20folder/Letterhead/WWW.REDSPIN.COMhttp://new%20folder/Letterhead/WWW.REDSPIN.COM