Kiuwan logo

The Top 25 Software Errors According to the SANS Institute

The CWE/SANS Top 25 is a list of the most dangerous common software errors that can leave your application vulnerable to bad actors. It’s put together by MITRE and the SANS Institute as part of the Common Weakness Enumeration (CWE) project. The list can help you prioritize your application security efforts based on prevalence and potential impact. 

The Most Severe Errors in the CWE/SANS Top 25

Here’s a closer look at some of the most prominent errors in the CWE/SANS Top 25, including how they can be exploited for malicious intent. 

1. Out-of-Bounds Write (CWE-787)

The top error on the newest version of the list occurs when a program writes data outside of the memory boundaries. This can allow attackers to execute malicious code or crash your application. 

2. Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting) (CWE-79)

Cross-site scripting (XSS) is an error that lets hackers inject scripts into web pages. This can trick a trusted site on a user’s browser into executing malware. 

3. Improper Neutralization of Special Elements Used in an SQL Command (SQL Injection) (CWE-89)

An SQL injection attack opens up an avenue for an attacker to manipulate the queries your application makes to a database. Hackers can use an SQL injection attack to view, change, or delete sensitive data. 

4. Use After Free (CWE-416)

Hackers can exploit a use after free error by continuing to use memory after it’s been “freed” by the application. They can escalate privileges, gain unauthorized access, or trick the program into running a malicious script. 

Other Common Errors

Some of the other most significant errors include: 

  • Improper Neutralization of Special Elements Used in an OS Command
  • Improper Input Validation
  • Out-of-Bounds Read
  • Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
  • Cross-Site Request Forgery (CSRF)
  • Unrestricted Upload of File With Dangerous Type

Changes from Previous Version

The 2023 version of the CWE/SANS Top 25 was updated to reflect changes in the threat landscape and new technologies. The top three positions weren’t changed from the 2021 version. However, some weaknesses were reranked due to higher or lower priorities, while others were added or removed.

Existing weaknesses that were reranked include: 

  • Use After Free moved from 7th place to 4th
  • Improper Neutralization of Special Elements used in an OS Command moved up to 5th place from 6th
  • Missing Authorization moved up five positions from 16th to 11th
  • Improper Privilege Management moved up seven positions from from 29th to 22nd

Two new vulnerabilities were added to the list: 

  • Improper Privilege Management (CWE-269) 
  • Incorrect Authorization (CWE-863)

Two others moved out of the top 25:

  • Uncontrolled Resource Consumption (CWE-400)
  • Improper Restriction of XML External Entity Reference (XXE) (CWE-611)

Trends in Vulnerabilities

  • Hackers are finding and exploiting more obscure vulnerabilities and are becoming more sophisticated in their attack methods. Some emerging types of threats that application security teams need to guard against include the following: 

Artificial Intelligence (AI)-Powered Attacks

AI is contributing to cyberattacks at scale by automating processes related to finding and exploiting weaknesses. Many of the CWE/SANS Top 25 highlight the need to bolster your applications defenses by blocking these vulnerabilities, such as input validation weaknesses and authentication flaws. 

The following errors facilitate these types of attacks: 

  • Improper Input Validation (CWE-20)
  • Improper Authentication (CWE-287)
  • Cross-site Scripting (CWE-79)

Ransomware Attacks

Ransomware-as-a-Service platforms have lowered the barrier to committing these types of attacks. They often exploit vulnerabilities that give hackers access to your systems critical functions or allow for unauthorized code execution. 

The following vulnerabilities are particularly relevant for ransomware attacks: 

  • Improper Restriction of Operations Within the Bounds of a Memory Buffer (CWE-119)
  • Use of Hardcoded Credentials (CWE-798)

Supply Chain Attacks

As application security has become a more significant focus for many organizations, hackers have found less obvious methods of attack through third-party vendors or software dependencies. These supply chain attacks allow them to infiltrate systems through more vulnerable side channels. 

The errors that relate to supply chain attacks include:

  • Deserialization of Untrusted Data (CWE-502)
  • Incorrect Authorization (CWE-863)
  • Improper Input Validation (CWE-20)

Exploitation of IoT Devices

Due to their minimalist names and limited computing power, many IoT devices aren’t adequately protected, making them a prime target for attackers. They also open up a pathway into more high-value systems that malicious actors can exploit for access. 

The following vulnerabilities can allow IoT device attacks: 

  • Missing Authentication for Critical Function (CWE-306)
  • Improper Privilege Management (CWE-269)

Put Updated Security Practices Into Play

Security practices to manage these vulnerabilities have also changed. Development teams are shifting left to address security earlier in the software development lifecycle (SDLC) — ideally during the planning phase. 

Kiuwan’s SAST tool automatically scans your code for vulnerabilities in the CWE/SANS Top 25 list. Many of these errors can be automatically mitigated with the Kiuwan’s SAST solution. You can can incorporate it into your integrated development environment (IDE) so developers will get immediate feedback on best coding practices. 

Kiuwan’s SCA tool gives you 100% visibility into your open-source vulnerabilities, which is important for understanding third-party risks that can lead to supply chain attacks. SCA scans code and automatically identifies any open-source or third-party libraries and components. 

A combination of tools and techniques will improve your application security and help you avoid many of the top 25 exploitable software errors. Request a demo to see how Kiuwan can help secure your applications against today’s top software vulnerabilities

In This Article:

Request Your Free Kiuwan Demo Today!

Request a Demo

Get Your FREE Demo of Kiuwan Application Security Today!

Identify and remediate vulnerabilities with fast and efficient scanning and reporting. We are compliant with all security standards and offer tailored packages to mitigate your cyber risk within the SDLC.
FREE DEMO

Related Posts

A Guide to Code Portability-updated

A Guide to Code Portability

November 15, 2024
As applications need to operate across multiple environments, code portability has emerged as a topic of focus for developers. This guide will help you understand what code portability is and…
Read more

Empower Your DevSecOps With Kiuwan

Subscribe to our Newsletter!
Products
SAST SCA Add-Ons
Resources
Blog Webinars eBooks Product Documentation Videos Partner Program
About Us
About Kiuwan Success Stories Contact Us Legal Privacy Policy
© 2024 Kiuwan. All Rights Reserved.