CWE Top 25 2019 and On the Cusp

The CWE Top 25 has been updated for 2019. It’s the first change to this important list of cybersecurity issues since 2011. They also updated the “On the Cusp” list which is really an extra 15 items, making together a great appsec Top 40 list. Learn more in my latest short video:


– CWE, you’ve probably heard of it. You’ve probably heard of the CWE top 25. You may know that it’s something about security. And you might even know if you’re really up to date that it has recently been updated. So today I want to spend a couple of minutes talking about what’s changed and what’s the same in CWE. And does it even matter? CWE. CWE is the Common Weakness Enumeration. So it turns out, when bad things happen in cybersecurity like, there’s a problem with a smartphone or a problem with a mail server, or a problem with an application, problem with your home wireless router, like you might see in my IOT hall of shame, that there is usually some kind of a notice issued into the National Vulnerability Database, or NVD. And that thing carries a score called a CVSS, which is the Common Vulnerability Scoring System, telling you how dangerous this thing is. And it’s given a number called a CVE, or Common Vulnerability Enumeration, and the idea is, that a CVE describes things in a way that we can compare. So that when we have a problem with our home security camera and we end up having a problem with our office router, that we know that the underlying problem is the same. Maybe the problem is that there’s a weakness in encryption, or that it’s got a default password programmed into it. So CVE helps us discuss things, so that we’re talking about apples and apples, and oranges and oranges. CWE is the Common Weakness Enumeration, so basically when we see that we have a vulnerability like a weakness in a router, at some point, somebody goes and looks at the code and says, “Oh, here’s the fix. “Here’s the code responsible for this vulnerability.” And so we describe it in terms of the weakness that the vulnerability exploited. There’s a whole buncha these CWEs. They’re maintained by Miter, There’s around 800 give or take right now, some are categories. But basically they describe lots and lots of things that can lead to problems in your software. For the most part, they’re about security. Earlier this year they added some things that are more about quality and reliability and we’ll see more of that as time goes on. But at the current time, they’re mostly security problems. So, this is an encryption problem, this is a lacking validation problem, this is using an old library problem, this is a buffer overflow problem. So all these kinds of things are listed in the CWEs. So what happened is, that years ago someone said, “Well, there’s 800 of these things. “What do I do? There’s too many, where do I start?” So CWE top 25 is an attempt to figure out what are the things you should start with. You shouldn’t stop there. If you’ve already gotten there, you’re in compliance, keep goin’. But if you haven’t done anything yet, it’s a great place to start. Now, the old CWE top 25 that was current until a few weeks ago. This list was based on a variety of things. It was based on real world problems, it was based on National Vulnerability Database, it was based on interviews with big clients that had private issues that weren’t necessarily publicized or included in NVD. So, it was great in the sense that it took into account a lot of different data forms but it was a bit subjective. So in 2019, we had, for the first time, an update to CWE. It was 2011, the last time that the CWE top 25 was updated. CWE gets updated on a regular basis, but the top 25, not so often. So this time, what’s interesting, is that we have a very objective approach and with that, we might have lost something in the sense that we don’t have all this access to private data. On the other hand, we know what the CWE does represent, which is really the code and the weaknesses associated with common vulnerabilities as expressed in the National Vulnerability Database. Meaning, the real world security incidents that are actually happening, we take the score, we look at the prevalence, we look at the weight of the impact, how dangerous it is, and we add up to get the top 25. And actually, if you look at the top 25, You can see the relative dangerousness based on the CVSS or score of these items. And you’ll see that number 25 isn’t nearly as dangerous as number one, although they’re all dangerous, they’re all bad and you should fix them all. The other interesting thing about CWE top 25 that a lot of people are unaware of, is that there is a thing called on the cusp. These are the CWEs that almost made it to the top 25, they were on the cusp of making it. Kind of a bad pun, you guys at Mitre. Bob, I’m looking at you, it was probably you. Seems like something you would do. But on the cusp is what I like to refer to as the honorable mentions, or maybe dishonorable mentions. These are the things that are 26, 27, 28, 29, instead of the top 25, they almost made the top 25. They’re almost as dangerous as number 25 is. There’s about 15 of these items, 15 or 16, and they’re also important. So once you’ve finished the top 25, go to on the cusp. That’s the next thing that’s important. So if you haven’t done anything for security yet and you’re wondering where to get started, CWE top 25 is a great place to go, no matter what kind of application you have. If you’re getting close to compliance or you’re fully in compliance with the CWE top 25, take a look at the on the cusp rules. Which by the way are also used if you’re going to do UL 2900, which is cybersecurity for connected devices from Underwriters Laboratory. So that’s a great place to go next. Also, just take a look at OWASP, maybe you’re doing web applications, that’s a thing you can do. But in general, CWE is a nice, broad, security standard. And if you weren’t aware of the update, it’s maybe a good time to look at your configuration, look at your tools and make sure that you’re doing the latest CWE, because the new CWE top 25 is based on things that are happening today, not things that were happening eight years ago. So it’s important to make sure that you keep up to date, since the point of the list, is to keep you connected to common, real world problems. So make sure, that you’re up to date, and that your tool supports this latest CWE. Because if it doesn’t, you’re kind of in trouble. And, as you’re growing, make sure that your tools supports the on the cusp rules, because again, they’re almost as dangerous as the CWE top 25 and no matter what, you’re gonna end up doing them at some point. So, any questions about CWE, let me know in the comments below. If you liked it, thumbs up. Subscribe to find out more content. If you wanna hear more about any other security standards or other topics please let me know. Stay safe out there.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.