5 Essential Tips to Protect Yourself from the CWE Top 25 Attacks
More than 400 years ago, Francis Bacon coined the phrase, “opportunity makes a thief”. In 2022, 82% of CIOs believe their software supply chains are vulnerable, and cybercriminals can penetrate 93 percent of company networks. Bacon’s saying is more relevant than ever, with CISOs and other cyber security professionals constantly needing to detect and remediate weaknesses in their systems while training their staff to tackle them adequately.
Programs like the CWE (Common Weakness Enumeration) and CWE Top 25 (CWE Top 25 Most Dangerous Software Weaknesses list) were created to help identity, recognize, and prioritize such weaknesses to prevent and minimize security vulnerabilities.
The CWE is used in all aspects of cyber security, from the early development stage (architecture and design), through code, hardware, and software implementation, to managing the enterprise’s cyber security. In this post, we give you the tools and knowledge needed to protect yourself from the CWE Top 25 Attacks by explaining and discussing:
- What is the CWE Top 25?
- What is CVE and how is it different from CWE?
- How to use the 2022 CWE Top 25
- 5 essential tips to protect yourself from CWE top 25 attacks
What is the CWE Top 25?
What is CWE?
The CWE is a community-developed list of software and hardware security weaknesses sponsored by governments and non-profit organizations such as the MITRE Corporation and CISA (the US government Cyber security and Infrastructure Security Agency).
What is the CWE Top 25?
The CWE Top 25 lists of the most prevalent and significant software weaknesses that can easily be found and used by bad actors to breach systems, steal data, stop applications from working, or take over the entire system.
The CWE Top 25 (like the CWE program) is designed to help developers and security professionals (CISOs, InfoSec, security managers, etc.) by creating a common standardized language when:
- Discussing software and hardware weaknesses.
- Identifying and preventing such weaknesses during the development stage and before deployment.
- Checking and handling weaknesses and vulnerabilities in existing software and hardware products.
- Evaluating and verifying tools addressing these weaknesses.
Recent and future planned changes in methodology for CWE Top 25
The main change to the methodology of the 2022 CWE Top 25 is the use of KEV (Known Exploited Vulnerabilities Catalog), published by CISA in November 2021. KEV includes roughly 800 flaws known to have been exploited by cyber attacks. It is also worth mentioning that next year, the CWE team is planning more changes:
- Support the generation of custom or more specialized lists (e.g., Top 25 for mobile applications or web applications)
- Consider changing the metrics used.
- Change the sampling methodology.
- Improve the expressiveness of View-1003(CWE VIEW: Weaknesses for Simplified Mapping of Published Vulnerabilities).
- Perform normalization using different views besides View-1003.
What is CVE and how is it different from CWE?
CVE (Common Vulnerabilities and Exposures)is a program created in 1999 and operated by the MITRE Corporation (managing the National Cyber security FFRDC federally funded research and development center – NCF), and the National Cyber Security Division (NCSD) of the USDepartment of Homeland Security.
The CVE program identifies, defines, and catalogs publicly known information-security vulnerabilities. The CVE contains a single record for each vulnerability in the catalog and a reference ID for each vulnerability. Cyber security professionals use this reference system to ensure they are referring to the same vulnerability.
The CVE reference method is used by the CWE and CWE Top 25 when addressing the weaknesses in the list.
How to Use the 2022 CWE Top 25
Below is a table of the CWE Top 25 for 2022:
Rank | ID | Name | Score | KEV Count (CVEs) | Rank Change vs. 2021 | |
1 | CWE-787 | Out-of-bounds Write | 64.2 | 62 | 0 | |
2 | CWE-79 | Improper Neutralization of Input During Web Page Generation (‚Cross-site Scripting‘) | 45.97 | 2 | 0 | |
3 | CWE-89 | Improper Neutralization of Special Elements used in an SQL Command (‚SQL Injection‚) | 22.11 | 7 | +4 | |
4 | CWE-20 | Improper Input Validation | 20.63 | 20 | 0 | |
5 | CWE-125 | Out-of-bounds Read | 17.67 | 1 | -2 | |
6 | CWE-78 | Improper Neutralization of Special Elements used in an OS Command (‚OS Command Injection‘) | 17.53 | 32 | -1 | |
7 | CWE-416 | Use After Free | 15.5 | 28 | 0 | |
8 | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (‚Path Traversal‘) | 14.08 | 19 | 0 | |
9 | CWE-352 | Cross-Site Request Forgery (CSRF) | 11.53 | 1 | 0 | |
10 | CWE-434 | Unrestricted Upload of File with Dangerous Type | 9.56 | 6 | 0 | |
11 | CWE-476 | NULL Pointer Dereference | 7.15 | 0 | +4 | |
12 | CWE-502 | Deserialization of Untrusted Data | 6.68 | 7 | +1 | |
13 | CWE-190 | Integer Overflow or Wraparound | 6.53 | 2 | -1 | |
14 | CWE-287 | Improper Authentication | 6.35 | 4 | 0 | |
15 | CWE-798 | Use of Hard-coded Credentials | 5.66 | 0 | +1 | |
16 | CWE-862 | Missing Authorization | 5.53 | 1 | 2 | |
17 | CWE-77 | Improper Neutralization of Special Elements used in a Command (‚Command Injection‘) | 5.42 | 5 | +8 | |
18 | CWE-306 | Missing Authentication for Critical Function | 5.15 | 6 | -7 | |
19 | CWE-119 | Improper Restriction of Operations within the Bounds of a Memory Buffer | 4.85 | 6 | -2 | |
20 | CWE-276 | Incorrect Default Permissions | 4.84 | 0 | -1 | |
21 | CWE-918 | Server-Side Request Forgery (SSRF) | 4.27 | 8 | +3 | |
22 | CWE-362 | Concurrent Execution using Shared Resource with Improper Synchronization (‚Race Condition‘) | 3.57 | 6 | +11 | |
23 | CWE-400 | Uncontrolled Resource Consumption | 3.56 | 2 | +4 | |
24 | CWE-611 | Improper Restriction of XML External Entity Reference | 3.38 | 0 | -1 | |
25 | CWE-94 | Improper Control of Generation of Code (‚Code Injection‘) | 3.32 | 4 | +3 |
Effectively using the 2022 CWE Top 25
One of the most effective ways to utilize the CWE Top 25 is to use it to set priorities when developing a system or handling its security. In this way, the list can help developers and security experts to mitigate the issues according to their gravity, thus ensuring the organization’s resources are used efficiently and optimally.
5 essential tips to protect yourself from CWE top 25 attacks
1. Implement secure authorization across the organization.
Authorization is the fundamental way the system determines if a client has permission to use any resource or access any file. Securing the authorization process across the organization is critical in preventing attacks from succeeding. For example:
“CWE-862: Missing Authorization – The software does not perform an authorization check when an actor attempts to access a resource or perform an action.”
CWE suggestions for Mitigation:
- The software should be divided into anonymous, normal, privileged, and administrative areas. Attack surface must be reduced by mapping roles with data and functionality and role-based access control use.
- Ensure that access control checks are performed related to the business logic.
- Access control mechanisms for web applications should be enforced correctly on the server side on every page. Users should not be able to access any unauthorized functionality or information by simply requesting direct access to that page.
- Use the access control capabilities of your operating system and server environment and define your access control lists accordingly. When defining these ACLs, use a „default deny“ policy.
2. Encrypt sensitive data at rest and in transit:
Strong encryption of sensitive data at all locations and at all times (during rest or when transmitted) is critical and a basic requirement ofmany security standards. For example:
“CWE-798: Use of Hard-coded Credentials: The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its inbound authentication, outbound communication to external components, or encryption of internal data.”
CWE suggestions for Mitigation:
Outbound authentication:
- Passwords, keys, and other credentials must be stored outside of the code in a strongly-protected, encrypted configuration file or database. These should be protected from access by all outsiders, including other local users on the same system.
- Properly protect the key (CWE-320). If you cannot use encryption, make sure the permissions are as restrictive as possible.
Inbound authentication:
- Rather than hard-code a default username and password, key, or other authentication credentials for first-time logins, utilize a „first login“ mode that requires the user to enter a unique, strong password or key.
- If the software must contain hard-coded or non-removable credentials, check the access control and limit which entities can access the feature that requires these credentials.
Inbound authentication using passwords:
- Apply strong one-way hashes to passwords and store them in a configuration file or database with appropriate access control.
- When handling an incoming password during authentication, take the hash of the password and compare it to the saved hash.
- Use randomly assigned salts for each separate hash generated to increase the amount of computation an attacker needs to conduct a brute-force attack.
Possible solutions for front-end to back-end connections:
- Use automatically generated passwords/ keys that must be entered and changed at specific time intervals by a system administrator. They should be held in the memory and only be valid for the time intervals).
- The passwords/ keys should be limited at the back end to only performing actions valid for the front end instead of full access.
- The messages sent should be tagged and check summed with time-sensitive values (to prevent replay-style attacks).
3. Take authentication seriously:
Authentication is key in enabling the organization to guarantee that only authorized and trusted processes and users can access its system’s resources. For example:
“CWE-287: Improper Authentication – When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.”
CWE suggestion for Mitigation:Use an authentication framework or library such as the OWASP ESAPI (The OWASP Enterprise Security API) Authentication feature.
“CWE-306: Missing Authentication for Critical Function – The software does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
CWE suggestions for Mitigation:
- Divide the software into anonymous, normal, privileged, and administrative categories. Identify which areas demand a proven user identity and use a centralized authentication capability.
- Identify and map all potential communication channels or other ways the software is interacted with to ensure that all channels are appropriately protected.
- Duplicate any security checks performed on the client and server sides.
- Custom authentication routines should be avoided and instead use authentication capabilities provided by the surrounding framework, operating system, or environment. These will help in providing a clear distinction between authentication tasks and authorization tasks.
- Use a vetted library or framework that does not allow this weakness to occur (such as OpenSSL, the ESAPI Authenticator, etc.)
4. Continuously update cyber security policies and procedures:
As threats and attacks continue to evolve, another basic principle is constantly updating cyber security policies and procedures. This is another main requirement in many security standards and security standard compliance to-do lists. Let’s look at the visual representation of the difference between the 2021 and 2022 CWE Top 25 lists.
As can be clearly understood from the chart above, CWE Top 25 is dynamic and constantly changing. Cyber security policies and procedures must be regularly updated to align with the most recent and relevant weaknesses and vulnerabilities.
5. Train staff in cyber awareness:
No matter how strong and updated your technological defenses are, they are only as strong as your employees. According to some reports, “55% of U.S. workers admitted to taking a risky action in 2021”. Other reports suggest that “80-95% of breaches are due to human errors”. It is therefore essential to regularly train your team in cyber awareness according to threats presented by publications such as the CWE 25 Top.
Protect yourself from the CWE top 25 attacks with powerful cyber awareness training
In this post, we gave you the tools and knowledge needed to protect yourself from the CWE Top 25 Attacks. As discussed above, the amount and complexity of security challenges constantly evolve. However, our defensive capabilities also improve. We now have effective platforms that use innovative and engaging practices to enhance our teams‘ cyber security awareness. This is key to strengthening your organization’s ability to handle threats like those from the CWE Top 25.
Contact CybeReady to achieve effective security training that ensures weaknesses such as those expressed in CWE Top 25 will be adequately dealt with before they become vulnerabilities.