David A. Wheeler's Blog

Tue, 17 Sep 2019

CWE Top 25 for 2019

In case you weren’t aware of it, there is now a 2019 version of the CWE Top 25 list. This list attempts to rank what are the most important kinds of software vulnerabilities (what they call “weaknesses”).

Their new approach is to directly use the National Vulnerability Database (NVD) to score various kinds of vulnerabilities. There are a number of limitations with this approach, and they discuss many of them in the cited page.

Their approach does have some oddnesses, for example, their #1 worst problem (CWE-119, Improper restriction of operations within the bounds of a memory buffer) is itself the parent of items #5 (CWE-125, out-of-bounds read) and #12 (CWE-787, out-of-bounds write).

Another oddity: they rank Cross-Site Request Forgery (CSRF) quite high (#9). CSRF doesn’t even appear in the 2017 (latest) OWASP Top 10 list, even though the OWASP top 10 list focuses on websites (where CSRF can occur). I think this happens because the CWE folks are using a large dataset from 2017-2018, where there are still a large number of CSRF vulnerabilities. But the impact of those remaining vulnerabilities has been going down, due to changes to frameworks, standards, and web browsers. Most sites use a pre-existing frameworks, and frameworks have been increasingly adding on-by-default CSRF countermeasures. The “SameSite” cookie attribute that provides an easy countermeasure against CSRF was implemented in most browsers around 2016-2018 (depending on the browser), but having it take effect required that websites make changes, and during that 2017-2018 timeframe websites were only starting to deploy those changes. As of late 2019 several browsers are in the process of switching their SameSite defaults so that they counter CSRF by default, without requiring sites to do anything. (In particular, see the announcement for Chrome and the change log for Mozilla Firefox.) These changes to the SameSite defaults implement the security improvements proposed in Incrementally Better Cookies by M. West in May 2019. This change in the security default could not have been realistically done before 2019 because of a bug in the Apple Safari browser that was only fixed in 2019. As more browsers self-protect against CSRF by default, without requiring sites or developers to do anything, CSRF vulnerabilities will become dramatically less likely. This once again shows the power of defaults; systems should be designed to be secure by default whenever possible, because normally people simply accept the defaults.

That said, having a top 25 list based on quantitative analysis is probably for the best long-term, and the results appear to be (mostly) very reasonable. I’m glad to see it!

path: /security | Current Weblog | permanent link to this entry