Common Weaknesses in Code
Learning Objectives
- You know of resources of common weaknesses in code.
- You know that vulnerabilities can emerge over time.
Common Weaknesses
When considering threats and risks, it is important to also know of common weaknesses in code. The Common Weakness Enumeration (CWE) is a community-developed list of common software and hardware weaknesses. The CWE site also includes a Top 25 Most Dangerous Software Weaknesses list, which is a list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.
The CWE enumeration assigns each weakness a unique identifier, a brief description, and a more detailed description. As an example, the CWE-89 is a SQL injection weakness, which can allow an attacker to execute arbitrary SQL commands on a database. The CWE-89 weakness is a common weakness in web applications, and it can lead to serious security vulnerabilities if not properly handled.
Another good resource for software developers is the OWASP Top Ten, which is a list of the top ten most critical web application security risks. The OWASP Top Ten list is updated regularly, and it includes common vulnerabilities such as injection attacks, broken authentication, and sensitive data exposure.
Weaknesses and Maintenance
A key part of software maintenance is reacting to discovered vulnerabilities and keeping the software dependencies up to date. Here, common vulnerabilities and exposures (CVE) lists are a useful resource. For example, the US Cybersecurity and Infrastructure Security Agency (CISA) maintains a list of known vulnerabilities that are actively being exploited; similarly, the CVE.org actively catalogues publicly disclosed cybersecurity vulnerabilities.
Although a system may be secure when it is first developed and deployed, vulnerabilities can be discovered over time. For example, a dependency that the system depends on might have hidden vulnerabilities that are discovered, making the system also vulnerable. Similarly, new threats can emerge over time, making the system vulnerable to new types of attacks.
Software systems run on top of a platform, which includes the operating system, the programming language runtime, and various libraries and frameworks. Similarly to the software system itself, the platform also needs to be maintained and kept up to date.