5 Essential Tips to Protect Yourself from the CWE Top 25 Attacks

5 Essential Tips to Protect Yourself from the CWE Top 25 Attacks More than 400 years ago, Francis Bacon coined the phrase, “opportunity makes a thief”[...]
By Daniella Balaban
image September 12, 2022 image 8 MIN READ

5 Essential Tips to Protect Yourself from the CWE Top 25 Attacks

More than 400 years ago, Francis Bacon coined the phrase, “opportunity makes a thief”. In 2022, 82% of CIOs believe their software supply chains are vulnerable, and cybercriminals can penetrate 93 percent of company networks. Bacon’s saying is more relevant than ever, with CISOs and other cyber security professionals constantly needing to detect and remediate weaknesses in their systems while training their staff to tackle them adequately.

Programs like the CWE  (Common Weakness Enumeration) and CWE Top 25 (CWE Top 25 Most Dangerous Software Weaknesses list) were created to help identity, recognize, and prioritize such weaknesses to prevent and minimize security vulnerabilities. 

The CWE is used in all aspects of cyber security, from the early development stage (architecture and design), through code, hardware, and software implementation, to managing the enterprise’s cyber security. In this post, we give you the tools and knowledge needed to protect yourself from the CWE Top 25 Attacks by explaining and discussing:

What is the CWE Top 25?

What is CWE?

The CWE is a community-developed list of software and hardware security weaknesses sponsored by governments and non-profit organizations such as the MITRE Corporation and CISA (the US government Cyber security and Infrastructure Security Agency).

What is the CWE Top 25?

The CWE Top 25 lists of the most prevalent and significant software weaknesses that can easily be found and used by bad actors to breach systems, steal data, stop applications from working, or take over the entire system.    

The CWE Top 25 (like the CWE program) is designed to help developers and security professionals (CISOs, InfoSec, security managers, etc.) by creating a common standardized language when:

Recent and future planned changes in methodology for CWE Top 25

The main change to the methodology of the 2022 CWE Top 25 is the use of KEV (Known Exploited Vulnerabilities Catalog), published by CISA in November 2021. KEV includes roughly 800 flaws known to have been exploited by cyber attacks. It is also worth mentioning that next year, the CWE team is planning more changes:

What is CVE and how is it different from CWE?

CVE (Common Vulnerabilities and Exposures) is a program created in 1999 and operated by the MITRE Corporation (managing the National Cyber security FFRDC federally funded research and development center –  NCF), and the National Cyber Security Division (NCSD) of the US Department of Homeland Security. 

The CVE program identifies, defines, and catalogs publicly known information-security vulnerabilities. The CVE contains a single record for each vulnerability in the catalog and a reference ID for each vulnerability. Cyber security professionals use this reference system to ensure they are referring to the same vulnerability.

The CVE reference method is used by the CWE and CWE Top 25 when addressing the weaknesses in the list 

How to Use the 2022 CWE Top 25

Below is a table of the CWE Top 25 for 2022:

Rank ID Name Score KEV Count (CVEs) Rank Change vs. 2021
1 CWE-787 Out-of-bounds Write 64.2 62 0
2 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45.97 2 0
3 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection‘) 22.11 7 +4
4 CWE-20 Improper Input Validation 20.63 20 0
5 CWE-125 Out-of-bounds Read 17.67 1 -2
6 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 17.53 32 -1
7 CWE-416 Use After Free 15.5 28 0
8 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.08 19 0
9 CWE-352 Cross-Site Request Forgery (CSRF) 11.53 1 0
10 CWE-434 Unrestricted Upload of File with Dangerous Type 9.56 6 0
11 CWE-476 NULL Pointer Dereference 7.15 0 +4
12 CWE-502 Deserialization of Untrusted Data 6.68 7 +1
13 CWE-190 Integer Overflow or Wraparound 6.53 2 -1
14 CWE-287 Improper Authentication 6.35 4 0
15 CWE-798 Use of Hard-coded Credentials 5.66 0 +1
16 CWE-862 Missing Authorization 5.53 1 2
17 CWE-77 Improper Neutralization of Special Elements used in a Command (‘Command Injection’) 5.42 5 +8
18 CWE-306 Missing Authentication for Critical Function 5.15 6 -7
19 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 4.85 6 -2
20 CWE-276 Incorrect Default Permissions 4.84 0 -1
21 CWE-918 Server-Side Request Forgery (SSRF) 4.27 8 +3
22 CWE-362 Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’) 3.57 6 +11
23 CWE-400 Uncontrolled Resource Consumption 3.56 2 +4
24 CWE-611 Improper Restriction of XML External Entity Reference 3.38 0 -1
25 CWE-94 Improper Control of Generation of Code (‘Code Injection’) 3.32 4 +3

Effectively using the 2022 CWE Top 25

One of the most effective ways to utilize the CWE Top 25 is to use it to set priorities when developing a system or handling its security. In this way, the list can help developers and security experts to mitigate the issues according to their gravity, thus ensuring the organization’s resources are used efficiently and optimally. 

5 essential tips to protect yourself from CWE top 25 attacks

1. Implement secure authorization across the organization.

Authorization is the fundamental way the system determines if a client has permission to use any resource or access any file. Securing the authorization process across the organization is critical in preventing attacks from succeeding. For example:

CWE-862: Missing Authorization – The software does not perform an authorization check when an actor attempts to access a resource or perform an action.”

CWE suggestions for Mitigation:

2. Encrypt sensitive data at rest and in transit:

Strong encryption of sensitive data at all locations and at all times (during rest or when transmitted) is critical and a basic requirement of many security standards. For example:

CWE-798: Use of Hard-coded Credentials: The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its inbound authentication, outbound communication to external components, or encryption of internal data.”

CWE suggestions for Mitigation:

Outbound authentication: 

Inbound authentication:

Inbound authentication using passwords: 

Possible solutions for front-end to back-end connections: 

3. Take authentication seriously:

Authentication is key in enabling the organization to guarantee that only authorized and trusted processes and users can access its system’s resources. For example:

CWE-287: Improper Authentication – When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.” 

CWE suggestion for Mitigation:  Use an authentication framework or library such as the OWASP ESAPI (The OWASP Enterprise Security API) Authentication feature.

CWE-306: Missing Authentication for Critical Function – The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

CWE suggestions for Mitigation:

4. Continuously update cyber security policies and procedures:

As threats and attacks continue to evolve, another basic principle is constantly updating cyber security policies and procedures. This is another main requirement in many security standards and security standard compliance to-do lists. Let’s look at the visual representation of the difference between the 2021 and 2022 CWE Top 25 lists. 

As can be clearly understood from the chart above, CWE Top 25 is dynamic and constantly changing. Cyber security policies and procedures must be regularly updated to align with the most recent and relevant weaknesses and vulnerabilities.   

5. Train staff in cyber awareness:

No matter how strong and updated your technological defenses are, they are only as strong as your employees. According to some reports, “55% of U.S. workers admitted to taking a risky action in 2021”. Other reports suggest that “80-95% of breaches are due to human errors”. It is therefore essential to regularly train your team in cyber awareness according to threats presented by publications such as the CWE 25 Top.

Protect yourself from the CWE top 25 attacks with powerful cyber awareness training

In this post, we gave you the tools and knowledge needed to protect yourself from the CWE Top 25 Attacks. As discussed above, the amount and complexity of security challenges constantly evolve. However, our defensive capabilities also improve. We now have effective platforms that use innovative and engaging practices to enhance our teams’ cyber security awareness. This is key to strengthening your organization’s ability to handle threats like those from the CWE Top 25

Contact CybeReady to achieve effective security training that ensures weaknesses such as those expressed in CWE Top 25 will be adequately dealt with before they become vulnerabilities.