MITRE’s 2019 CWE Top 25 list contains many code quality issues that can result in security vulnerabilities. Static analysis can help you mitigate them.
By Yatin Patil and Anna Chiang
Last week, MITRE released its Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) for 2019. This list documents the most widespread and critical weaknesses that can lead to serious vulnerabilities in software, and we welcome MITRE’s rigorous and data-driven prioritization efforts. Easily testable industry standards that highlight vulnerabilities with the most potential for harm raise the bar for securing applications before they are deployed in the wild.
This year’s list includes class-level CWEs that represent a broad range of errors. In this system, high-level weaknesses are parents of more detailed weaknesses. For example, CWE-119 “Improper Restriction of Operations Within the Bounds of a Memory Buffer” is the parent of CWE-120 “Buffer Copy Without Checking Size of Input.”
It’s interesting to note that many code quality issues that can result in security vulnerabilities are in the top 10 subset of this new list. The No. 1 spot goes to CWE-119, a.k.a. “Buffer Overflow,” followed by CWE-125 “Out-of-Bounds Read” (#5), CWE-416 “Use After Free” (#7), and CWE-190 “Integer Overflow or Wraparound” (#8). Coverity® is one of only a few major static application security testing (SAST) solutions that are strong in identifying both code quality issues and security issues. Coverity supports the vast majority of the CWEs in the 2019 CWE Top 25, including over 50 closely related CWEs for each Top 25 CWE. A single CWE might be addressed by 10 or more dedicated Coverity checkers, allowing Coverity to provide more comprehensive coverage than is possible with other SAST solutions.
In terms of security issues in the top 10 subset, Coverity fully supports the usual suspects (cross-site scripting, improper input validation, information exposure, cross-site request forgery, and path traversal) for major web languages, as well as mobile and .NET languages. For CWE-200 “Information Exposure,” Coverity is the only major SAST tool that supports speculative execution data leak checkers, which can identify vulnerable code to detect whether attackers might be able to read another process’s memory (the cause of the Spectre disclosure in 2018).
In the recent September 2019 Coverity software release, we added checkers for more web languages to address CWE-200 “Information Exposure,” which can lead to data breaches, and other Top 25 CWEs: CWE-476 “Null Pointer Dereference,” which can lead to crashes or buggy software that can create new attack vectors; CWE-434 “Unrestricted Upload of File With Dangerous Types” (e.g., large file uploads), which can lead to denial-of-service (DoS) attacks; and CWE-502 “Deserialization of Untrusted Data,” which can lead to DoS or remote code execution attacks.
We welcome the evolution of the CWE Top 25 standard and continue to optimize Coverity’s comprehensive quality and security support. We expand Coverity’s language and framework support with every release, with robust coverage of the latest CWEs, CVEs, and other vulnerabilities identified by the CWE Top 25 and other security standards, such as OWASP Top 10 and PCI DSS. Coverity is also the only major SAST tool to provide best-in-class support for code quality, safety, and reliability standards such as CERT C/C++, AUTOSAR, MISRA, ISO 26262, and ISO/IEC TS 17961.