Blog

September 28, 2020

What Is CWE? Overview + CWE Top 25

Stuart Foster
Stuart Foster

Security & Compliance,

Software Quality

CWE and CWE Top 25 secure coding practices help you safeguard your code against rising software security risks. Here we explain what is CWE and the CWE Top 25.

Read along or jump ahead to the section that interests you the most:

Table of Contents

  1. What Is CWE?
  2. What Is CWE Top 25?
  3. How to Ensure CWE Security with Static Analysis?
  4. Use Klocwork to Ensure Software Security

➡️ Ensure CWE Security with Klocwork

Back to top

What Is CWE?

Common Weakness Enumeration (CWE) list identifies software security weaknesses in software and hardware. This includes C, C++, and Java. The list is compiled by feedback from the CWE Community.

Sponsored by the MITRE Corporation, the community is made up of representatives from major operating systems vendors, commercial information security tool vendors, academia, government agencies, and research institutions.

The full list is regularly updated every few months with the latest version released in August 2020. The security weakness list includes over 600 categories, which include:

📕 Related Resource: Learn about the top embedded security vulnerabilities.

 

Back to top

What Is CWE Top 25?

Published by MITRE, the CWE Top 25 is a compilation of the most widespread and critical weaknesses that could lead to severe software vulnerabilities. The most recent list was published in 2020 and listed vulnerabilities that allowed hackers to gain control over an affected system, steal sensitive data, and cause a denial-of-service condition.

CWE Top 25

Here is the list of the 2020 CWE Top 25 software weaknesses:

  1. Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”)
  2. Out-of-bounds Write
  3. Improper Input Validation
  4. Out-of-bounds Read
  5. Improper Restriction of Operations within the Bounds of a Memory Buffer
  6. Improper Neutralization of Special Elements used in an SQL Command (“SQL Injection”)
  7. Exposure of Sensitive Information to an Unauthorized Actor
  8. Use After Free
  9. Cross-Site Request Forgery (CSRF)
  10. Improper Neutralization of Special Elements used in an OS Command (“OS Command Injection)
  11. Integer Overflow or Wraparound
  12. Improper Limitation of a Pathname to a Restricted Directory (“Path Traversal”)
  13. NULL Pointer Dereference
  14. Improper Authentication
  15. Unrestricted Upload of File with Dangerous Type
  16. Incorrect Permission Assignment for Critical Resource
  17. Improper Control of Generation of Code (“Code Injection”)
  18. Insufficiently Protected Credentials
  19. Improper Restriction of XML External Entity Reference
  20. Use of Hard-coded Credentials
  21. Deserialization of Untrusted Data
  22. Improper Privilege Management
  23. Uncontrolled Resource Consumption
  24. Missing Authentication for Critical Function
  25. Missing Authorization
Back to top

How to Ensure CWE Security with Static Analysis?

The best way to ensure that your code is secure is to use a SAST tool, like Klocwork.

SAST tools identify and eliminate security vulnerabilities and software defects early on in development. This helps to ensure that your software is secure, reliable, and compliant.

Klocwork helps you:

  • Identify and analyze security risks and prioritizes severity.
  • Fulfill compliance standard requirements.
  • Apply and enforce coding standards.
  • Verify and validate through testing.
  • Achieve compliance and get certified faster.
📕 Related Resource: Review the SAST tutorial for additional software security resources.

 

Back to top

Use Klocwork to Ensure Software Security

See for yourself how Klocwork can help you enforce software security standards, register for a free trial.

➡️ register for Klocwork free trial

Back to top