CWE Top 25 of 2022: Review of Changes

The CWE Top 25 list reflects the most serious software security weaknesses. I invite you to read the updated top list to become aware of the changes that happened over the past year.

We position the PVS‑Studio analyzer not only as a tool for searching for bugs in code but also as a static application security testing (SAST) tool. For a better understanding of trends and planning of diagnostic rules, there is nothing better than to look at the latest list of the most relevant security issues. There are several such lists, for example, OWASP Top 10, SANS Top 25, and CWE Top 25.

A Bit of Theory

To better understand the context, let's brush up on some topics. To do this, let's skim through the following points:

• What is CWE, and how does CVE differ from it?
• Why do we need CVSS?
• What are NVD and KEV?
• How is the CWE Top 25 2022 ranked?

If you feel CWE savvy, you can safely go ahead and skip this section. Otherwise, I would strongly suggest you refresh those points before reading if you don't mind the article. Below is a rather free interpretation of some questions from the  CWE FAQ and CVE FAQ:

How Does a Software Weakness Differ From a Software Vulnerability?

Weaknesses are defects, failures, and other issues of software implementation, design, or architecture that may lead to vulnerabilities.

Vulnerabilities are errors that someone has already found. Attackers may exploit these vulnerabilities to access a system or a network, disrupt services, etc.

What Is CWE and How Is It Different From CVE? How Does CVSS Figure Here, and Where Did KEV Come From?

• CWE (Common Weakness Enumeration) is a general list of security defects.
• CVE (Common Vulnerabilities and Exposures) is a list of vulnerabilities found in various software.
• CVSS (Common Vulnerability Scoring System) is a numerical score that indicates the potential severity of a vulnerability (CVE). It is based on a standardized set of characteristics.
• KEV (Known Exploited Vulnerabilities) is a catalog of known exploited vulnerabilities.

Why Do I Need to Know About CWE?

Today, developers use CWE as the main tool when discussing eliminating and/or minimizing security defects in the architecture, design, code, and software implementation. Organizations use CWE as a standard measure for evaluating software security verification tools and as a common baseline standard for identifying, preventing and minimizing negative consequences.

What Is CWE Top 25?

CWE Top 25 is a list of the most dangerous and common defects. These defects are dangerous because someone can easily find and exploit them. Attackers can use them to disrupt the application's operation, steal data or even completely take over a system. CWE Top 25 is a significant community resource that can help you get an idea of the currently most common and dangerous security defects.

What Is an Algorithm to Compile and Rank the CWE Top 25 List?

The main sources for this year's list were:

• Data from U.D National Vulnerability Database (NVD) for 2020–2021;
• The Known Exploited Vulnerabilities (KEV) catalog that was compiled in November 2021 by Cybersecurity and Infrastructure Security Agency (CISA).

The CWE team researchers handled the obtained data according to the View-1003 method to reduce the specificity of records. For example, CWE-122 (Heap-Based Buffer Overflow) is converted to basic CWE-787 (Out-of-Bounds Write). The CWE team also filtered the data and removed from the Top 25 list the following items:

• CVEs if they do not have a CVSS score;
• CVEs whose description is labeled "REJECT";
• CVEs without mapping to any CWE;
• CVEs that are labeled with "CWE-Other" or "NVD-CWE-noinfo".

Next, the team of researchers used their own formula to calculate the ranking order. This formula takes into account the potential danger of exploitation and the frequency with which a defect (CWE) is the main cause of a vulnerability. The team made the formula that way, normalizing the frequency and predicted severity relative to their minimum and maximum values. To obtain the frequency of mentions, the formula calculates how many times CVE referred to CWE within the NVD.

Freq = {count(CWE_X' ∈ NVD) for each CWE_X' in NVD}

Fr(CWE_X) = (count(CWE_X ∈ NVD) - min(Freq)) / (max(Freq) - min(Freq))

Another important component of the scoring formula is a defect's severity. The following formula calculates it:

Sv(CWE_X) = (average_CVSS_for_CWE_X - min(CVSS)) / (max(CVSS) - min(CVSS))

In the end, the final score is calculated by multiplying the frequency of mention by the severity score.

Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100

In general, data analysis methodology has not changed much this year. But next year, the CWE team is planning more significant changes. Here are some of them:

• Support generation of more specialized lists, such as Top 25 for mobile applications, etc.;
• Consider changing the metrics used to generate the list to minimize some of the bias;
• Enhance the View-1003 methodology;
• Perform normalization using different views besides View-1003.
• If possible, perform more CVE -> CWE mappings to reduce the number of one-off edits to the mapping data.

You can find more information about the methodology of data preparation and analysis in the supplemental details for the CWE Top 25 list.

How Big Is the Sampling This Year?

The dataset contained a total of 37,899 CVEs from the previous two calendar years.

Is the Top 25 Updated Every Year?

Yes, it is updated annually. For information about previous versions, visit CWE Top 25 archive.

Who Participates in the Development of CWE Top 25?

The CWE community includes individual researchers and representatives of numerous organizations, the scientific community, and government agencies. They are all interested in the elimination of software defects. You can get a list of CWE Team members on the "CWE Community Members" page.

The Situation Today

Below is a table of correspondence between the CWE Top 25 2022 list and the PVS-Studio diagnostic rules, divided by programming languages. 

The table shows that the PVS-Studio static analyzer now covers 68% (17 out of 25) of the CWE Top 25 2022 list. Last year, the coverage was 52%. Significant improvement in coverage over the year is a credit to the large number of SAST-oriented diagnostic rules PVS-Studio released over the past year.

Changes in the CWE Top 25 Over the Past Year

The biggest upshifts:

The biggest downshifts:

"Newbies" in the Top 25:

And in the end — the defects that were dropped out of the CWE Top 25 in 2022:

Key Points:

• The top ten places remain fairly stable;
• CWE-787 (Out-of-bounds Write) still holds the lead;
• CWE-502 (Deserialization of Untrusted Data) and CWE-862 (Missing Authorization) are steadily rising to the top year by year;
• This year, CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')) broke into the top, immediately rising by 11 places compared to last year;
• CWE-306 (Missing Authentication for Critical Function) appeared in 2020 and skyrocketed last year, dropped this year;
• The largest downward movement was marked by CWE-522 (Insufficiently Protected Credentials), which fell down by 17 points at once.

Below the Top

As a bonus, let's see what defects did not make it into the 2022 CWE Top 25 and may well enter the top next year:

Although these defects did not make it to the top, they are still important because, under favorable circumstances, they may turn into vulnerabilities.

Conclusion

I hope you enjoyed this article and understood the current terminology.

Fortunately, static analyzers help us fight potential vulnerabilities. Maybe a couple of CWEs crept into your code and are about to become CVE :)