Security

Common Weakness Enumeration (CWE)

WooCommerce

 

samuel-zeller-336980-unsplash.jpg

 
 
            MITRE maintains the CWE, which is a list of the top 25 most dangerous software errors. This list serves as a common language for describing software security weaknesses and as a standard measuring stick for software security tools that target these weaknesses. This list also provides a common baseline for weakness identification and prevention methods. Below are the top 5 most dangerous software efforts with a quick summary of their attack frequencies, weaknesses, consequences, ease of detection, and attacker awareness from 2017.
            At the top spot with a score of 93.8, we have CWE-90 (Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’). CWE-90 has a High Weakness Prevalence, Low Remediation Cost, Easy Ease of Detection, High Attacker Awareness, and an ‘Often’ Attack Frequency. Consequences of this attack are Data Loss and Security Bypass.
            Next, we have CWE-78 (Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) with a score of 83.8. CWE-78 has a Medium Weakness Prevalence, Medium Remediation Cost, Easy Ease of Detection, High Attacker Awareness, and an ‘Often’ Attack Frequency. Consequences involve Code Execution.
            The #3 position is CWE-120 (Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) with a 79.0 score. CWE-120 has a High Weakness Prevalence, Low Remediation Cost, Easy Ease of Detection, High Attacker Awareness, an ‘Often’ Attack Frequency, and its Consequences are Code execution, Denial of service, and Data loss.
            Next, we have CWE-79 (Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) that has a score of 77.7. CWE-79 has a High Weakness Prevalence, Low Remediation Cost, Easy Ease of Detection, an ‘Often’ Attack Frequency, and its consequences include Code execution and Security bypass. It also has High Attacker Awareness.
            Finally, CWE-306 (Missing Authentication for Critical Function) comes in at our #5 spot with a score of 76.9. CWE-306 has a Common Weakness Prevalence, Low to High Remediation Cost, Moderate Ease of Detection, an Attack Frequency of ‘Sometimes,’ and High Attacker Awareness. Consequences involve Security Bypass.
Reference:
Common Weakness Enumeration. Cwe.mitre.org. Web. 11 May 2017.
 
Advertisements
Jetpack

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.