Common Weakness Enumeration
The 2021 Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years. These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.
To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE®) data found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.
The major difference between the 2020 and 2021 CWE Top 25 lists is the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses. A preliminary estimate suggests that the percentage of Base-level CWEs has increased from ~60% to ~71% of all Top 25 entries, and the percentage of Class-level CWEs has decreased from ~30% to ~20% of entries. Other weakness levels (e.g., category, compound, and variant) remain relatively unchanged.
/cdn.vox-cdn.com/uploads/chorus_asset/file/25137774/STK115_Reddit_04.jpg)
