The CWE/25, a ranking of the 25 most important software vulnerabilities, was created by MITRE in collaboration with the SANS Institute. The Common Weakness Enumeration (CWE) is a database of software security flaws discovered across the board in software development. The CWE details the vulnerability and suggests mitigation measures for each entry.

The OWASP Foundation is a nonprofit foundation that works to improve the security of software it releases OWASP Top 10 which is a standard awareness document for developers and web application security. It represents a broad consensus about the most critical security risks to web applications.

OWASP Top 10

1. Broken Access Control

Access controls are critical for securing applications against unauthorized access to data and resources. Failures frequently result in the unauthorized disclosure of information, the modification or deletion of all data, or the execution of business operations outside the user's scope.

2. Cryptographic Failures

Cryptographic Failures can either be a flawed encryption system or no encryption at all. The main impact of a cryptography failure is the potential exposure of sensitive data. Depending on the sensitive data that is not sufficiently safeguarded by encryption, there may be compliance, reputational, or competitive business risks associated with its exposure.

3. Injection

Injection is a risk category that describes threat actors' ability to provide web apps with malicious input that causes the program to execute unforeseen and undesired commands. When an app cannot distinguish between malicious input and its code, injection takes place.

  4. Insecure Design

Insecure design is a broad category representing different weaknesses, expressed as “missing or ineffective control design.”

5. Security Misconfiguration

This group of dangers concerns the improper configuration of an application's security components. Individual mistakes are frequently at work here, such as leaving cloud storage buckets open or opening ports that are not necessary.

6. Vulnerable and Outdated Components

These vulnerabilities come from using out-of-date frameworks or libraries that are easy to exploit.

7. Identification and Authentication Failures

To safeguard against threats linked to authentication, it is essential to confirm the user's identity, authenticate them, and manage their sessions. If the program allows automated assaults like credential stuffing, in which the attacker has a list of legitimate users and passwords, there may be authentication flaws.

8. Software and Data Integrity Failures

Failures in code and infrastructure that do not provide integrity protection are related to software and data integrity issues. This can happen when an application depends on plugins, libraries, or modules from unreliable sources and repositories.

9. Security Logging and Monitoring Failures

Monitoring and logging contribute to security responsibility, event visibility, incident alerting, and forensics. Failures in these capabilities seriously impair your company's capacity to identify and address application security breaches.

10. Server-Side Request Forgery (SSRF)

SSRF vulnerabilities occur when a web application retrieves a remote resource without checking the user-supplied URL. Even when the program is shielded by a firewall, VPN, or another sort of network access control list, it enables an attacker to force the application to submit a forged request to an unexpected location (ACL).

SANS/CWE Top 25 of 2022

1. CWE - 787: Out-of-bounds Write

The software writes data past the end, or before the beginning, of the intended buffer.

2. CWE - 79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

3. CWE - 89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

When sending a SQL command to a downstream component, the program generates all or a portion of it using input that has been impacted externally by an upstream component, but it fails to neutralize or does so in a way that could cause the intended SQL command to be altered.

4. CWE - 20: Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validate that the input has the properties that are required to process the data safely and correctly.

5. CWE - 125: Out-of-bounds Read

The software reads data past the end, or before the beginning, of the intended buffer.

6. CWE - 78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The software builds all or a portion of an OS command using input that has been modified externally by an upstream component, but it fails to remove or removes them wrongly specific aspects that could change the intended OS command when it is sent to a downstream component.

7. CWE - 416: Use After Free

Referencing memory after it has been freed can cause a program to crash, use unexpected values, or execute code.

8. CWE - 22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

The software constructs a pathname from external input to identify a file or directory that is beneath a restricted parent directory, but the pathname is not correctly neutralized to prevent it from resolving to a destination outside of the restricted directory.

9. CWE - 352: Cross-Site Request Forgery (CSRF)

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

10. CWE - 434: Unrestricted Upload of File with Dangerous Type

The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product's environment.

11. CWE - 476: NULL Pointer Dereference

A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit.

12. CWE - 502: Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

13. CWE - 190: Integer Overflow or Wraparound

When the logic in the software expects that the outcome will always be larger than the initial number, a calculation is performed that could result in an integer overflow or wraparound.

14. CWE - 287: Improper Authentication

When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.

15. CWE - 798: Use of Hard-coded Credentials

The software contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

16. CWE - 862: Missing Authorization

The software does not perform an authorization check when an actor attempts to access a resource or perform an action.

17. CWE - 77: Improper Neutralization of Special Elements used in a Command ('Command Injection')

The software builds all or a portion of a command using input that has been influenced externally from an upstream component, but it fails to neutralize or does so in a way that could cause the intended command to be changed when it is sent to a downstream component.

18. CWE - 306: Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

19. CWE - 119: Improper Restriction of Operations within the Bounds of a Memory Buffer

The software operates on a memory buffer, but it has the ability to read from or write to memory locations that are outside the buffer's intended boundaries.

20. CWE - 276: Incorrect Default Permissions

During installation, installed file permissions are set to allow anyone to modify those files.

21. CWE - 918: Server-Side Request Forgery (SSRF)

The web server gets a URL or a request of a similar nature from an upstream component and obtains its contents, but it does not adequately verify that the request is being sent to the intended recipient.

22. CWE - 362: Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

A code sequence that can run concurrently with other code exists in the program, and while it needs temporary, exclusive access to a shared resource, there is a timing window in which the shared resource can be changed by another code sequence that is running concurrently.

23. CWE - 400: Uncontrolled Resource Consumption

The software's inability to effectively manage the allocation and upkeep of a finite resource allows an actor to affect how much of it is used, eventually exhausting the resource's supply.

24. CWE - 611: Improper Restriction of XML External Entity Reference

When an XML document is processed by the program, it may contain XML entities with URIs that resolve to documents outside of its intended control, which results in the product embedding false documents in its output.

25. CWE - 94: Improper Control of Generation of Code ('Code Injection')

The software creates all or a portion of a code segment using input that has been externally influenced by an upstream component, but it fails to remove or removes wrongly specific parts that could alter the syntax or behavior of the intended code segment.

What is the Difference?

OWASP top 10 is the main category and the CWE is a breakdown of each issue. 

However, as CWEs address software issues rather than just those related to web applications, they will occasionally have problems that don't fit into any of the OWASP Top 10 categories, as you can see below.

‍

SecOps Solution is an award-winning agent-less Full-stack Vulnerability and Patch Management Platform that helps organizations identify, prioritize and remediate security vulnerabilities and misconfigurations in seconds.

To schedule a demo, just pick a slot that is most convenient for you.