CWE/SANS Top 25 Software Errors for 2019

In September 2019, a new CWE/SANS Top 25 Most Dangerous Software Errors list was published for the first time since 2011. Unlike previous lists, it was calculated by analyzing reported vulnerabilities to determine underlying weaknesses, so it is especially valuable for developers and software security professionals. This article looks at the top-rated software weaknesses and shows how they apply in practice to web application security.

CWE/SANS Top 25 Software Errors for 2019

September 2019 saw the first update of the CWE/SANS Top 25 Most Dangerous Software Errors list since 2011. Unlike previous lists, it was calculated by analyzing actual reported vulnerabilities to determine their underlying weaknesses, so it is especially valuable for developers and software security professionals. Let’s have a look at the top-rated software weaknesses and see how they apply in practice to web application security.

CWE/SANS Top 25 Software Errors for 2019

How the 2019 Top 25 List Was Prepared

The CWE classification, or Common Weakness Enumeration, describes typical software errors that may lead to vulnerabilities. In the 2011 Top 25 list, weaknesses were ranked based on feedback from industry experts. In contrast, the CWE Top 25 for 2019 was put together by analyzing high-scoring vulnerabilities reported in 2017 and 2018 in NIST’s National Vulnerability Database (NVD). This meant determining their root cause, assigning them to weakness categories, and calculating overall scores. The highest scores were assigned to high-impact errors that are frequently made and easily exploited, so the 2019 list not only provides valuable information on the current state of software security, but can also serve as a quick reference guide for developers, administrators, and educators.

10 Most Dangerous Errors of 2019

  1. Improper Restriction of Operations within the Bounds of a Memory Buffer, a.k.a. Buffer Overflow (CWE-119)
  2. Improper Neutralization of Input During Web Page Generation, a.k.a. Cross-site Scripting (CWE-79)
  3. Improper Input Validation (CWE-20)
  4. Information Exposure (CWE-200)
  5. Out-of-bounds Read (CWE-125)
  6. Improper Neutralization of Special Elements used in an SQL Command, a.k.a. SQL Injection (CWE-89)
  7. Use After Free (CWE-416)
  8. Integer Overflow or Wraparound (CWE-190)
  9. Cross-Site Request Forgery (CSRF) (CWE-352)
  10. Improper Limitation of a Pathname to a Restricted Directory, a.k.a. Path Traversal (CWE-22)

Memory Management, Input Validation, and Information Access

As with previous lists of weaknesses and vulnerabilities, many errors are still related to memory management and input validation. The top danger by far, with an overall score of 75.56, is improper restriction of memory buffer operations, which can include buffer overflows, over-reads, and overruns. While commonly associated with lower-level languages that directly access memory, most notably C/C++, memory management errors can also affect applications and systems that rely on external libraries. An incorrect calculation of buffer size or a missing bounds check in a popular library can have serious consequences downstream, as demonstrated by the Heartbleed vulnerability. Other memory management errors that made the list include use after free, out-of-bounds read and write (CWE-787), and NULL pointer dereference (CWE-476).

9 of the top 25 items are related to untrusted inputs, including cross-site scripting (second overall score of 45.69), improper input validation (third place with 43.61), SQL injection, OS command injection (CWE-78), directory traversal, or the unrestricted upload of files of a dangerous type (CWE-434). This serves as a reminder that software inputs come in all shapes and sizes, and any input that could conceivably be generated or modified outside the application should be properly validated.

The last major error category is information access security. This includes weaknesses such as information exposure, where a program reveals more data than should be accessible to the user, and authentication and validation errors, such as improper authentication (CWE-287), incorrect permission assignment (CWE-269), and the use of hard-coded credentials (CWE-798). The presence of this class of errors in the top 25 confirms the high impact of data disclosure vulnerabilities and shows that information security must be considered at all stages of development and deployment.

Changes Since the 2011 Top 25

Despite changes in methodology compared to the 2011 Top 25 list, we can see many familiar issues still there, with buffer overflows, SQL injection, and cross-site scripting all making the top 10 again. (Note that in 2011, CWE-120 was listed for “Buffer Copy without Checking Size of Input”, or classic buffer overflow, while CWE-119 is a broader class of buffer-related errors.) Interestingly, many technical weaknesses have moved off the radar and are no longer listed for 2019, including:

  • CWE-327: Use of a Broken or Risky Cryptographic Algorithm
  • CWE-311: Missing Encryption of Sensitive Data
  • CWE-759: Use of a One-Way Hash without a Salt
  • CWE-829: Inclusion of Functionality from an Untrusted Control Sphere (use of untrusted code)
  • CWE-601: URL Redirection to Untrusted Site (open redirect)
  • CWE-494: Download of Code Without Integrity Check
  • CWE-676: Use of Potentially Dangerous Function
  • CWE-134: Uncontrolled Format String

This could be a sign of improving security practices and more effective vulnerability management, as organizations and developers increasingly rely on specialized libraries and move away from brew-your-own implementations, especially for cryptography. However, many changed items correspond to the same basic issues – for example, CWE-807 “Reliance on Untrusted Inputs in a Security Decision” is not among the top weaknesses for 2019, but could still be a factor for vulnerabilities resulting from improper input validation. 

Critical Errors for Web Application Security

The SANS list was compiled based on all reported vulnerabilities, not just those that affect web applications. However, by comparing it with the OWASP Top 10 Most Critical Web Application Security Risks for 2017, we can see some common themes. Unsurprisingly, the low-level memory management issues don’t directly apply to web development, where higher-level languages are used, but they make it into the OWASP list indirectly as “Using Components with Known Vulnerabilities”. However, as with the SANS list, issues related to input validation and data access security dominate, with injection vulnerabilities topping the OWASP list. Cross-site scripting is also present in both lists, as are XXE vulnerabilities (officially CWE-611 “Improper Restriction of XML External Entity Reference”). 

Increased reliance on external libraries and frameworks, especially open source solutions, has improved many aspects of web application security – but at a price. If a vulnerability is found in a popular library, thousands of systems and applications can suddenly be open to attack. To ensure that existing and emerging threats are addressed, it’s vital to regularly scan your applications using an industrial-strength vulnerability scanner that can provably detect a wide array of vulnerabilities, including SQL Injection, Cross-site Scripting, XML External Entity Injection, and Command Injection.

Zbigniew Banach

About the Author

Zbigniew Banach - Technical Content Lead & Managing Editor

Cybersecurity writer and blog managing editor at Invicti Security. Drawing on years of experience with security, software development, content creation, journalism, and technical translation, he does his best to bring web application security and cybersecurity in general to a wider audience.