Common Weakness Enumeration

Stubborn Weaknesses in the CWE Top 25

Over the span of the last five publications of the CWE Top 25 Most Dangerous Software Weaknesses (2019-2023), there are 15 weaknesses that have been present in every list. This suggests that despite ongoing visibility to the community, these 15 weaknesses represent the most challenging weaknesses that exist today. A more focused training effort is needed to enhance developer practices to ensure that these weaknesses do not continue to introduce unnecessary risk to customer data and services.

The table below notes these especially stubborn weaknesses. Also, table includes references to proposed mitigations for each CWE that can be incorporated into software development programs and training material to reduce occurrences/impact of that CWE.

Table 1. Stubborn Weaknesses in the CWE Top 25

Each of the stubborn weaknesses identified above can be viewed as falling within one of three informal groupings:

1. Error prone processing of data originating from untrusted sources that often results in an initial entry point for an attacker to compromise an IT system.
   CWE-20, CWE-22, CWE-78, CWE-79, CWE-89, CWE-125, and CWE-502 are in this group. Six (out of seven) of these weaknesses have been in the top 10 for the last three years.


2. Weaknesses associated with languages that do not have strong support for memory management or type enforcement.
   CWE-119, CWE-190, CWE-416, CWE-787, and CWE-476 are in this group. Of these, CWE-787, CWE-416, and CWE-352 were ranked in the top 10 for all five years, while CWE-476, CWE-287, and CWE-798 were mainstays in positions 12-20.


3. Weaknesses introduced into a system because of a poor security architecture or poor security design choices.
   CWE-352, CWE-287, and CWE-798 are in this group.

It is notable that, although memory management weaknesses continue to be a source of many reported vulnerabilities, it can also be observed that there is some traction in the community in reducing these types of weakness. During the 5-year evaluation period, CWE-119 fell from rank 1 (in year 1) to rank 17 (in year 5) and CWE-190 fell from rank 5 (in year 1) to rank 7 (in year 5). These are small but encouraging developments.

These improvements could be attributed to increased focus on memory weaknesses and mitigations as demonstrated by recent community interest in memory safety issues, as exhibited by:

• Consumer Report’s Future of Memory Safety Challenges and Recommendations
• NSA’s “Software Memory Safety” Cybersecurity Information Sheet
• The White House National Cybersecurity Strategy (and its associated Request for Information On Open-Source Software Security and Memory Safe Programming Languages)
• CISA’s (jointly developed and released) publication entitled Shifting the Balance of Cybersecurity Risk: Principles and Approaches for Security-by-Design and -Default

While all of these stubborn weaknesses continue to be an issue, they can be prevented and mitigated in numerous ways across the lifecycle. The community should continue to push toward moving security left to the architecture and design phases of the lifecycle with proper design and selection of tools for the task at hand.

NOTE: This page was revised on September 19, 2023, to update text and links to the most current information.