CWE Top 25 2022. Review of changes

Published in

PVS-Studio

6 min readAug 1, 2022

The CWE Top 25 list reflects the most serious software security weaknesses. I invite you to read the updated top list to become aware of the changes happened over the past year.

We position the PVS‑Studio analyzer not only as a tool for searching bugs in code but also as a tool for static application security testing (SAST) tool. For a better understanding of trends and planning of diagnostic rules, there is nothing better than to look at the latest list of the most relevant security issues. There are several such lists, for example, OWASP Top 10, SANS Top 25, and the above-mentioned CWE Top 25.

By the way, last year we already wrote about changes in the CWE Top 25 2021 — you can find the article here.

A bit of theory

To better understand the context, let’s brush up on some topics. To do this, let’s skim through the following points:

how does CVE differ from CWE;
why do we need CVSS;
what are NVD and KEV;
how the CWE Top 25 2022 is ranked.

If you feel CWE savvy, you can safely skip this section. Otherwise, I strongly recommend that you refresh those points before you read the article. Below is a rather free interpretation of some questions from CWE FAQ and CVE FAQ:

How does a software weakness differ from a software vulnerability?

Weaknesses are defects, failures and other issues of implementation, design or architecture of the software that may lead to vulnerabilities.

Vulnerabilities are errors that have already been found by someone. Attackers may exploit these vulnerabilities to get access to a system or a network, to disrupt services, etc.

What is CWE and how is it different from CVE? How does CVSS figure here and where did KEV come from?

CWE (Common Weakness Enumeration) is a general list of security defects.
CVE (Common Vulnerabilities and Exposures) is a list of vulnerabilities found in various software.
CVSS (Common Vulnerability Scoring System) is a numerical score that indicates the potential severity of a vulnerability (CVE). It is based on a standardized set of characteristics.
KEV (Known Exploited Vulnerabilities) is a catalog of known exploited vulnerabilities.

Why do I need to know about CWE?

Today, developers use CWE as the main tool when discussing the elimination and/or minimizing security defects in the architecture, design, code, and software implementation. Organizations use CWE as a standard measure for evaluating software security verification tools and as a common baseline standard for identifying, preventing, and minimizing negative consequences.

What is CWE Top 25?

CWE Top 25 is a list of the most dangerous and common defects. These defects are dangerous because someone can easily find and exploit them. Attackers can use them to disrupt the application’s operation, steal data or even completely take over a system. CWE Top 25 is a significant community resource that can help you get an idea of the currently most common and dangerous security defects.

What is an algorithm to compile and rank the CWE Top 25 list?

The main sources for this year’s list were:

data from U.D National Vulnerability Database (NVD) for 2020–2021;
the Known Exploited Vulnerabilities (KEV) catalog that was compiled in November 2021 by Cybersecurity and Infrastructure Security Agency (CISA).

The CWE team researches handled the obtained data according to the View-1003 method to reduce the specificity of records. For example, CWE-122 (Heap-Based Buffer Overflow) is converted to basic CWE-787 (Out-of-Bounds Write). The CWE team also filtered the data and removed from the Top 25 list the following items:

CVEs if they do not have a CVSS score;
CVEs whose description is labeled “REJECT”;
CVEs without a mapping to any CWE;
CVEs that are labeled with “CWE-Other” or “NVD-CWE-noinfo”.

Next, the team of researchers used their own formula to calculate the ranking order. This formula takes into account the potential danger of exploit and the frequency, with which a defect (CWE) is the main cause of a vulnerability. The team made the formula that way, so it normalizes the frequency and predicted severity relative to their minimum and maximum values. To obtain the frequency of mentions, the formula calculates how many times CVE referred to CWE within the NVD.

Freq = {count(CWE_X’ ∈ NVD) for each CWE_X’ in NVD}

Fr(CWE_X) = (count(CWE_X ∈ NVD) — min(Freq)) / (max(Freq) — min(Freq))

Another important component of the scoring formula is a defect’s severity. The following formula calculates it:

Sv(CWE_X) = (average_CVSS_for_CWE_X — min(CVSS)) / (max(CVSS) — min(CVSS))

At the end, the final score is calculated by multiplying the frequency of mention by the severity score.

Score(CWE_X) = Fr(CWE_X) * Sv(CWE_X) * 100

In general, the methodology of data analysis has not changed much this year. But next year, the CWE team is planning more significant changes. Here are some of them:

support generation of more specialized lists, such as Top 25 for mobile applications, etc.;
consider changing the metrics used to generate the list to minimize some of the bias (here are more details);
enhance the View-1003 methodology;
perform normalization using different views besides View-1003.
if possible, perform more CVE -> CWE mappings to reduce the number of one-off edits to the mapping data.

You can find more information about the methodology of data preparation and analysis in the supplemental details pertaining to the CWE Top 25 list.

How big is the sampling this year?

The dataset contained a total of 37,899 CVEs from the previous two calendar years.

Is the Top 25 updated every year?

Yes, it is updated annually. For information about previous versions, visit CWE Top 25 archive.

Who participates in the development of CWE Top 25?

The CWE community includes individual researchers and representatives of numerous organizations, the scientific community, and government agencies. They are all interested in elimination of software defects. You can get a list of CWE Team members on the “CWE Community Members” page.

Read more about classification on the cwe.mitre.org website.

The situation today

Below is a table of correspondence between the CWE Top 25 2022 list and the PVS-Studio diagnostic rules, divided by programming languages. You can always check the most up-to-date table with CWE Top 25 coverage on our website.

The table shows that the PVS-Studio static analyzer now covers 68% (17 out of 25) the CWE Top 25 2022 list. Last year, the coverage was 52%. Significant improvement in coverage over the year is a credit to the large number of SAST-oriented diagnostic rules that were released by PVS-Studio over the past year.

Changes in the CWE Top 25 over the past year

The biggest upshifts:

The biggest downshifts:

“Newbies” in the Top 25:

And in the end — the defects that were dropped out of the CWE Top 25 in 2022:

Key points:

the top ten places remain fairly stable;
CWE-787 (Out-of-bounds Write) still holds the lead;
CWE-502 (Deserialization of Untrusted Data) and CWE-862 (Missing Authorization) are steadily rising to the top year by year;
this year, CWE-362 (Concurrent Execution using Shared Resource with Improper Synchronization (‘Race Condition’)) broke into the top, immediately rising by 11 places compared to last year;
CWE-306 (Missing Authentication for Critical Function) that appeared in 2020 and skyrocketed last year, dropped this year;
the largest downward movement was marked by CWE-522 (Insufficiently Protected Credentials), which fell down by 17 points at once.

Below the top

As a bonus, let’s see what defects did not make it into the 2022 CWE Top 25 and may well enter the top next year:

Although these defects did not make it to the top, they are still important because under favorable circumstances they may turn into vulnerabilities.

Conclusion

I hope you enjoyed this article and understood the current terminology.

Fortunately, static analyzers help us fight potential vulnerabilities. Therefore, I invite you to download and test the PVS-Studio static analyzer on your project. Maybe a couple of CWEs crept into your code and are about to become CVE :)