CWE Top 25: 2020 v. 2021

Image by Lawrence Monk from Pixabay.

In our previous post, we have mentioned that the Common Weakness Enumeration (CWE) list can be long and daunting to look at when you’re first getting started. As such, one of our recommendations is to focus on items that make up the CWE Top 25 Most Dangerous Software Weaknesses.

What is the CWE Top 25 Most Dangerous Software Weaknesses List?

The CWE Top 25 Most Dangerous Software Weaknesses lists issues that are especially dangerous. Per the CWE team

[T]hey are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working.

To determine whether a vulnerability type should be included or not, the CWE team looked at:

These prevalence and severity data points were then used in a formula to create an overall score that aims to capture how dangerous each weakness was. Weaknesses are then ranked based on this overall score.

Changes in the Top 25 Between 2020 and 2021

As you might expect, the Top 25 list is a living document that changes over time. Just as the software industry involves, the threats facing software evolve as well.

There are three vulnerabilities that show up on the 2021 list but weren’t included on the 2020 list:

  • CWE-276 (Incorrect Default Permissions) has moved from #41 to #19
  • CWE-918 (Server-Side Request Forgery (SSRF)) has moved from #27 to #24
  • CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)) has moved from #31 to #25

Other major movements upward on this list (indicative of increased threat) include:

  • CWE-306 (Missing Authentication for Critical Function), which moved from #24 to #11
  • CWE-502 (Deserialization of Untrusted Data), which moved from #21 to #13
  • CWE-862 (Missing Authorization), which moved from #25 to #18

Not all of the news is bad news, however. In some cases, there was significant movement downwards, and the following entries dropped out of the Top 25:

  • CWE-400 (Uncontrolled Resource Consumption) dropped from #23 to #27
  • CWE-94 (Improper Control of Generation of Code (‘Code Injection’)) dropped from #17 to #28
  • CWE-269 (Improper Privilege Management) dropped from #22 to #29

Considerations to Keep in Mind

The CWE Top 25 is helpful in that it captures weaknesses that are common and impactful. However, there are biases inherent in the list.

For example, the CWE team has modified its mapping practices over the past year with the hopes of making the vulnerability entries better reflect the CWE ID to which they belong. In a few years, the impact this change will have on list movement will peter out; in the meantime, it is a significant contributing factor.

Furthermore, the CWE team relies on reported information. Companies that report frequently could skew the data, while those who never report the data are also impactful. There may also be weaknesses that exist and aren’t discovered — these issues may be hazardous, but they’re not reflected on the Top 25 list without any reported data.

Nevertheless, the CWE Top 25 is a helpful resource for those looking to tackle some commonly occurring vulnerabilities.


CWE Top 25: 2020 v. 2021 was originally published in ShiftLeft Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

*** This is a Security Bloggers Network syndicated blog from ShiftLeft Blog – Medium authored by Katie Horne. Read the original post at: https://blog.shiftleft.io/cwe-top-25-2020-v-2021-2c7918dddd18?source=rss—-86a4f941c7da—4