Top 25 Coding Errors Leading to Software Vulnerabilities

Are you sure your software is safe from vulnerabilities? The most common software holes are also the most dangerous. They are caused by software flaws – configuration or coding errors that actually can be avoided or fixed. To help you improve cyber security in your system, here is a review of the most commonly occurring and exploited software weaknesses reported by MITRE (CWE Top 25 2019) and OWASP (OWASP Top 10 2017).

Contents

• Collection and Rating Methodologies
• When in the SDLC Do Most Coding Errors Happen?
• The Most Vulnerable Programming Perspectives Revealed
  • Data Processing Flaws
  • Security and Access Control Weaknesses
  • Resource Management Flaws
  • Flaws in Business Logic
  • Other Weaknesses
• How to Avoid Common Software Vulnerabilities and Exploits?
• References

It is a well-known fact that most cyber security threats are caused by coding errors. Cyber security is an area of expertise for Waverley and we are often asked to handle complex issues. The wide variety of problems we address gives us a broad perspective on what can go wrong and where your system is susceptible to a security breach.  Some of these vulnerabilities are more common than others. Both MITRE and OWASP have released lists of the most critical coding errors that result in security risks (in 2019 and 2017, respectively). Our cyber security teams at Waverley reference MITRE and OWASP when mitigating cyber security threats. However, our clients often don’t understand where the coding errors are and what dangers they pose. In order to fill in this gap in understanding, we have summarized the critical weaknesses that lead to serious vulnerabilities in software, below. We’ll also explain how these weaknesses can be exploited and how it can affect your business. Lastly, you’ll discover how you can protect your systems and devices from cyber-attacks.

Collection and Rating Methodologies

MITRE and OWASP (Open Web Application Security Project) have compiled lists of the most common coding errors that leave you vulnerable and result in serious security risks.  The mission of both these non-profits is to reduce cybercrime by improving software security and finding solutions for technology issues. We’ll focus here on the MITRE Common Weakness Enumeration (CWE) list of Top 25 in 2019 and the OWASP Top 10 list in 2017. The initiative helps developers, quality assurance specialists, project managers, researchers, and other people working in the industry and brings more cyber security awareness to the IT community. The lists help us discover and deal effectively with security vulnerabilities. Cyber security specialists at Waverley also turn to these lists when locating various types of software vulnerabilities and coping with them.

The CWE and OWASP coding errors lists consist of mistakes observed in the real-world programming practice. The lists were compiled through surveys and personal interviews with members of the IT community. They identified a list of weaknesses that can occur at any stage of the system development life cycle. Mistakes can happen during design and architecture as well as during implementation and operation. Flaws can also occur across different programming languages and computer system components, which can result in various types of vulnerabilities.

In the CWE Top 25 2019 list, MITRE evaluates software weaknesses and scores them on their rating scale. The factors they use are:

• the coding flaw occurrence frequency
• the subsequent vulnerability exploitation severity

Again, these figures come from public reports.

Meanwhile, the OWASP Top 10 2017 list of security risks focuses on web application development procedures. The organization evaluates the types of software weaknesses with a different approach. They look at the exploitability, prevalence, detectability, and technical impact factors:

In our case, we tried to find out when most of the coding errors and security vulnerabilities take place. We’ve grouped these coding errors according to the programming categories where they appear.

When in the SDLC Do Most Coding Errors Happen?

In the course of our analysis of the MITRE and OWASP weaknesses lists, we discovered an interesting fact. Certain computing concept areas are more prone to various types of software vulnerabilities. This is due to a higher amount and frequency of potentially dangerous and often exploited faults. The pie-chart below represents the percentage of computer system aspects most likely to have vulnerabilities in terms of cyber security.

The Most Vulnerable Programming Perspectives Revealed

Data Processing Flaws

Buffer Overflow. Following the ranking, we can make an observation. The majority of coding errors (37.9%) occur in the data processing aspect. This puts your cyber security at high risk. The software weakness commonly known as “buffer overflow” is ranked #1 on the CWE Top 25 2019 list and is most prevalent in C and C++ programming languages.

The same is true of its close allies Out-of-bounds Read and Out-of-bounds Write. These failures happen when the memory buffer is set to receive more data than its capacity permits. Then, in the course of program execution, the data are written outside of the memory block. As a result, read or write operations can be conducted from a location outside the buffer limits. Due to buffer overflow, an unauthorized user can exploit this security vulnerability fairly easily. They can execute malicious code, read sensitive data, or change the control flow in the program.

Improper Output Encoding or Escaping. Such coding errors include:

• cross-site scripting
• SQL injection
• code injection or OS command injection 

Computer programs use queries and commands for their components to communicate. If these messages are missing proper encoding, hackers can use this vulnerability to tamper with the application. With SQL injection or XSS, they can insert special characters that cause the data to be interpreted as control information for the program. This way, coding errors let certain software components receive malicious commands and perform the wrong operations.

Improper Handling of Sensitive Information. Unlike buffer overflow, for example, this category of weaknesses is language-independent and includes software flaws such as:

• sensitive data exposure
• cryptographic issues
• insufficient or excessive logging

These coding mistakes are rather harmful as well. Their roots may lie in:

• poorly set security incident response system
• failure to encrypt sensitive data
• weak key generation
• password hashing

These coding errors lead to intentional or unintentional information disclosure to unauthorized users. This software vulnerability allows hackers to perform cyber-attacks, commit fraud, or steal identities. They utilize sensitive information including credentials, credit card numbers, health records and so on. If your organization is dealing with your customers’ private information, your reputation is threatened. If your customers are based in Europe, you’re also likely to be cited for non-compliance by the GDPR.

Read more:Code Review: Best Practices

Security and Access Control Weaknesses

The category of security and access control weaknesses sorted by programming concepts is ranked as the second most likely reason for vulnerabilities following the CWE classification. They all are quite self-explanatory. Here are some of the most common access control vulnerabilities:

• improper access control
• weak credential management (for instance, the use of hard-coded passwords)
• cryptographic and privilege issues
• security misconfiguration

The core problem with access control vulnerabilities is the incorrect security configuration of the system and component access controls. How does this happen? Quite often, software components come with default security settings. Far too often programmers fail to pay enough attention to adjusting access controls to the custom security terms and requirements. They may also ignore the principle of least privilege – a user or process must be given only the privileges needed to perform its intended function. Computer applications end up getting deployed without the required security features, for example, properly set authorization and authentication procedures. As a result, users risk their accounts becoming vulnerable, an easy target for cyber-attack. When attackers take advantage of the developers’ coding errors, password security is compromised, hackers get control of the systems and devices. Exploiting security vulnerabilities through malicious code execution, they may also gain access to sensitive information.

Resource Management Flaws

Improper System Resource Allocation or Consumption. Software vulnerabilities may occur with limited system memory, file storage, or CPU capacity. This type of security vulnerabilities typically arises when crucial system resources are:

• not released after the end of the software effective lifetime
• referenced after being previously freed
• not controlled by the systems

These faulty conditions are caused by the confusion: it is unclear which program component is responsible for which resource. This creates a “hole” or vulnerability in the system giving hackers an easy target to perform their attacks. The attacks, in turn, can cause a denial-of-service state (aka DoS attack), crash a program, or execute malicious code. Another potential consequence of these coding errors is a memory exhaustion attack, which can slow down your program and its hosting OS.

Flaws in Business Logic

Information Exposure. When access permissions are granted to a wider range of users than needed, it poses a substantial cyber security risk. This vulnerability often occurs during the software implementation stage. For example, developers may set loose permissions to avoid possible complications during the first application run. This makes software operation during the installation stage easier for the user, however, it is expected that the permission parameters will be tightened later on. But sometimes this crucial step doesn’t happen because the users or even system administrators often fail to read the documentation carefully. Leaving the loose permissions unchanged makes the entire system insecure and vulnerable to attacks.

The business logic of a program is responsible for the ways data is created, stored, and modified. Hence software vulnerabilities in this domain are highly likely to be exploited. Coding errors here may lead to allowing the cyber-criminals to modify critical properties and thus gain privileges. In addition, they can read sensitive information or even completely delete data from the database.

Web-Associated Flaws

Cross-Site Request Forgery is mentioned as #9 on MITRE Top 25 CWE list. It is a composite software weakness involving additional erroneous conditions including:

• origin validation error
• confused deputy
• external control of critical state data
• insufficient session expiration

These programming mistakes may overlap resulting in a web application that cannot verify whether an incoming server request was intentional or not. Hackers can easily detect and exploit these coding errors in web applications. They trick the systems into sending false unintentional requests to the server. In the end, such requests will be treated as valid ones.

Improper Restriction of XML External Entity Reference (XXE). An XML document contains external entity reference for web applications. It can be processed by a computer program, embedding incorrect documents into its output. The attackers provide a substitution string in the form of a file URL instead of the DTD defining an XML entity. In this way, it becomes possible to read the contents of a local file. A weakly configured XML parser can lead to software vulnerability resulting in XML documents getting processed with an external entity reference.

This coding flaw can be easily discovered and exploited in many ways. For instance, malicious actors may gain access to system files. Also, due to coding errors here, hackers can slow down the affected system through excessive CPU consumption. To make things worse, they can assume the identity of a privileged user, an administrator for example. In turn, this system vulnerability can lead to an attacker gaining complete control over the system.

Other Software Weaknesses

Numeric: Integer Overflow/Wraparound. A subcategory of incorrect calculation issues. Basically, this means that software is performing calculations that lead to unexpected results. This vulnerability affects resource management and execution control.

Pathname: Path Traversal. Cyber–intruders can use special elements to provide external input to construct a pathname. This gives them access to files or folders outside the restricted directory. It is also known as a dot-dot-slash attack: attackers use a sequence of ../ characters to traverse the root directory. Due to this software vulnerability, hackers can read files with sensitive data. They may also create, overwrite or delete vital security files, as a result of coding errors.

Pointer: Null Pointer Dereference. The null pointer indicates that the pointer is not referring to a valid object. When the null pointer is dereferenced, it typically causes a run-time error or immediate program crash. The inventor of the null pointer, Tony Hoare, called it his “billion-dollar mistake.” As he commented, it lead to numerous software vulnerabilities and system crashes that caused tremendous damage to users and businesses. No wonder the related software weakness is now listed as one of the Top 25 CWE in 2019.

Handler: Unrestricted Upload of File with Dangerous Type. This programming fault prevails in web server technology as a resource consumption issue. The size or number of uploaded files is not restricted so attackers can simply upload malware in the form of files that get automatically processed afterward. As a result, an uploaded file is interpreted and executed as code by the system. This coding error is especially typical of the PHP programming language. Such a vulnerability exists since, quite often, .php file types are treated as automatically executable.

Channel: Untrusted Search Path. The attackers supply an external search path pointing to a location or database beyond the application’s direct control. The vulnerability allows them to implant malware, gain access to unauthorized data, and modify configurations. In this case, any type of critical source seen as trusted by the system may be under threat.

Using Components with Known Vulnerabilities. This practice is hiding a tricky cyber security threat. Developers are often using ready-made application components to build complex systems and fail to check for bugs or software vulnerabilities in the library dependencies of those components. The known coding mistakes are fairly easy to detect so attackers who know the possible effects readily exploit them. The effects can be any of the inner software issues mentioned above. The consequences can range from trivial to severe.

How to Avoid Common Software Vulnerabilities and Exploits?

Of course, any potential cyber security threats should be and can be prevented. You can handle some of them in-house, checking your code and operating systems on a regular basis. Others might require professional third-party assistance. Below is a list of security measures to protect your devices and systems, all of which are highly advisable and useful to employ.

• Don’t forget to update your operating systems and libraries. As soon as known software vulnerabilities in these products get documented, they come with patches. We strongly recommend running the updates in a testing environment beforehand to make sure they are safe.
• Reduce your exposure to possible attacks: disable, block, and remove any system component you don’t use or don’t need; follow the least privilege principle in granting access rights to the system users.
• Secure your network. Use endpoint restrictions, continuous monitoring, and penetration testing. You can also resort to network and micro-segmentation.
• Take the time to check your system’s default security configurations and make custom settings. Do it as soon as it is deployed or even immediately upon purchase.
• Introduce automation into your operations to avoid man-made mistakes.
• Inspect and monitor the terms and policies of your internet and computer service providers. This will help you detect possible security vulnerabilities and threats.
• Utilize trusted and reliable internet sources of external dependencies you use to build software. Regularly check for updates for the products you use.
• Make sure your staff is aware of the basic cyber security practices, tools, and measures. They are designed to protect your systems from security breaches and attacks.
• Write your code and design architecture with security in mind; make it clear and easy to read.
• Devise a back-up plan in case of an emergency situation. It will help to quickly recover, mitigate the consequences, and learn from your mistakes.
• Stay up-to-date with the latest news and useful articles related to cyber security vulnerabilities.
• Never postpone fixing your bugs, especially before moving on with the project.
• Consider turning to cyber security vendors for security risk assessment. They will perform security audit and analysis, and provide security consulting services. As an alternative, think of applying special tools.
• Don’t hesitate to contact cyber security providers to get professional support. Make use of attack mitigation, incident handling, and other related services when in need.

References

Here is the full list of software vulnerabilities, grouped according to the programming processes where they occur:

Data Processing:

• CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer and its subcategories (“buffer overflow”)
  • CWE-125 Out-of-bounds Read
  • CWE-787 Out-of-bounds Write
• Some subcategories of Improper Encoding or Escaping of Output – (CWE-116)
  • CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
• Injection flaws:
  • CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)
  • CWE-78:  Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
  • CWE-94:  Improper Control of Generation of Code (‘Code Injection’)
• CWE-20 Improper Input Validation
• Information management mistakes:
  • CWE-220: Sensitive data exposure
  • CWE-310: Cryptographic issues
  • CWE-778 and 779: Insufficient or excessive logging

Access control/Security features:

• CWE-284:  Improper Access Control
  • CWE-287:  Improper Authentication (Broken Authentication)
• CWE-798:  Use of Hard-coded Credentials
• CWE-269:  Improper Privilege Management
• CWE-295:  Improper Certificate Validation

Resource management:

• CWE-416:  Use After Free
• CWE-400:  Uncontrolled Resource Consumption
• CWE-772:  Missing Release of Resource after Effective Lifetime
• Insecure deserialization:
  • CWE-502:  Deserialization of Untrusted Data

Business Logic:

• CWE-200:  Information Exposure
• CWE-732:  Incorrect Permission Assignment for Critical Resource

Web:

• CWE-352:  Cross-Site Request Forgery (CSRF) (is a composite weakness, also relates to security features)
• CWE-611:  Improper Restriction of XML External Entity Reference

Numeric-related:

• CWE-190 Integer Overflow or Wraparound

Pathname and Equivalence:

• CWE-22:  Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)

Pointer:

• CWE-476: NULL Pointer Dereference

Handler:

• CWE-434: Unrestricted Upload of File with Dangerous Type

Channel and Path:

• CWE-426:  Untrusted Search Path

Using Components with Known Vulnerabilities

Would you like to share this information? Click one of the buttons on the left to repost this article on social media.