It’s midsummer 2021, and everywhere you turn in the IT security press, you find notices that the latest CWE listings have been released. Sponsored by the Department of Homeland Security and operated by MITRE CORP, this list seems like a big deal. Well, it is a big deal, and here’s why.
The Common Weakness Enumerations is a compilation of common software and hardware weaknesses compiled by members of the U.S. security community. The list provides common terminology and a baseline for vulnerability detection, prevention, and mitigation efforts.
The CWE Top 25 list is a valuable guide to software and hardware producers, users, and educators. It’s a compilation of the 25 most common and dangerous vulnerabilities discovered in the past two years. (The 2021 list provided findings for 2019 and 2020.) For users evaluating solutions such as a web application firewall and Runtime application self-protection (RASP) tools, the list connects potential security problems that advanced software solutions are designed to solve.
What’s on the 2021 CWE Top 25 List?
The Institute’s CWE team created the 2021 list by gathering and applying a standard scoring system to government data. The resulting score for each vulnerability is based on how often that a specific weakness was the root cause of an attack and how severely it affects different user groups.
The list includes 25 entries, each of which describes:
- Rank from 1 to 25, with 1 being the most dangerous. Top-rated weaknesses are considered dangerous because it’s often easy for attackers to find and use them to steal data, control a system, or prevent hardware or software applications from working.
- Weakness identification number. Each ID entry provides a link, which points to a web page filled with detailed and technical information.
- Name of weakness.
- Weakness score.
- The change in a vulnerability’s rank since the 2020 edition of the list.
You can find the 2021 CWE list portal page here.
Detailed 2021 CWE data
After studying the 2021 list of weaknesses and scoring details, CWE analysts have concluded:
- Breaking into and maintaining access to IT infrastructures remain the foundations of cyberattacks and security vulnerability.
- Stolen access enables hackers to land and expand throughout IT infrastructures by carrying out lateral movement, privilege escalation, and other known attack methods.
These capabilities are essential parts of the familiar cyber kill chain, which hackers use in advanced persistent threat and other attacks. A cyber kill chain is a security model that describes phases of a cyberattack. A kill chain includes all stages of an exploit, from early-stage planning to achieving an attack’s final goal.
- Maintaining tight control over access permissions and identities is essential to keeping an enterprise secure.
An important difference between the 2020 and 2021 CWE Top 25 lists: vulnerability descriptions are becoming more specific compared to more generalized descriptions provided in earlier editions. This is an improvement, because the more specific the weakness descriptions are, the more likely that mitigation measures will be helpful under real-life conditions.
Protecting Against Common Vulnerabilities
Each entry of the CWE Top 25 Software Weaknesses site includes detailed detection, prevention, and remediation tasks, which developers and project managers can take to eliminate or reduce the impact of the weakness. Here’s an example of how CWE information helps to identify tactics that prevent or reduce the impact of an attack aimed at a vulnerability.
Searching through the Top 25 list, here are some familiar weaknesses and solutions suggested by members of the CWE team.
| Weakness name | Rank (of 25) | Common consequences | Project phase: Prevention/mitigation strategy |
| Cross-site scripting | 2 | Most often, involves the disclosure of information stored in user cookies. | Implementation: Use automated static analysis tools. Implementation: Use app firewalls |
| Improper /no data validation | 4 | Causes a program crash or consumes large amounts of memory, CPU, or other resources. | Design: ensure that security checks performed on the client side are duplicated on the server side. Implementation: Use input validation frameworks or libraries such as Struts or the OWASP ESAPI validation API. Implementation: Use dynamic analysis and automated results interpretation tools. |
| Improper authentication | 14 | Exposes resources or functionality to unauthorized actors. Can provide attackers with sensitive information or enable them to run arbitrary code. | Operation: Use dynamic analysis and automated results interpretation (as above) Operation: Use manual static analysis (human eyeballs inspecting and evaluating the correctness of custom authentication methods. |
WAF and RASP: Today’s software solutions for today’s attack landscape
A careful look at the information provided on CWE detail pages shows that many classes of advanced software tools provide effective detection, prevention, and damage reduction services.
WAFs are designed for real-time protection of your applications and APIs against cross-site scripting and a host of other exploits. Ideally, effective WAFs protect your software assets against a wide range of vulnerabilities (not just the ones listed in the OWASP Top 10) and reduce the risks that complicate security management.
RASP tools provide the dynamic analysis and automated results interpretation methods that prevent attacks aimed at your system’s weaknesses. Every moment that your apps and APIs run, RASP tools protect them and provide essential information that eliminates many types of operations risks. RASP-based tools also eliminate time-consuming coding chores and fit in smoothly with existing apps and processes.
These and many other tools and strategies are part of the latest application security solutions that are available from third-party, security service providers.