1. Introduction: The SANS / CWE Top 25 Most Dangerous Software Weaknesses
The CWE Top 25 Most Dangerous Software Weaknesses, historically published jointly by MITRE and the SANS Institute and now maintained by the MITRE Corporation on behalf of the Common Weakness Enumeration (CWE) programme, is a demonstrative and consensus-driven list of the software and hardware weaknesses that are most prevalent and most impactful across real-world systems. Unlike a prescriptive control framework such as PCI DSS or ISO/IEC 27001, the CWE Top 25 is a weakness taxonomy: it names, categorises and ranks the underlying flaws in code and design that adversaries repeatedly exploit. For any organisation building, procuring or assuring software, the CWE Top 25 provides a defensible, evidence-backed baseline against which secure-development practices, static and dynamic testing, code review, and vendor assurance can be measured.
This guide is written for engineering leaders, application-security architects, product security teams, QSAs, CERT-In empanelled assessors and internal auditors who must translate the CWE Top 25 from an academic list into an operational assurance programme. It sets out what the list is, who should use it, how it is structured, a master assessment checklist covering every one of the twenty-five weaknesses and their supporting categories, a phased implementation approach, a maturity model, an audit methodology, evidence expectations, roles, KPIs and mappings to adjacent frameworks. Throughout, we adopt British/Indian English and auditor-grade specificity, using the canonical CWE identifiers (CWE-79, CWE-787, and so on) so that findings are unambiguous and traceable.
2. What is the SANS / CWE Top 25?
The Common Weakness Enumeration is a community-developed, formal dictionary of common software and hardware weakness types. A weakness (as distinct from a vulnerability) is a condition in the architecture, design, code or deployment of a product that, under the right circumstances, can contribute to the introduction of a vulnerability. Where a vulnerability (tracked as a CVE) is a specific, exploitable instance in a specific product, a weakness (tracked as a CWE) is the reusable root-cause pattern. For example, CWE-89 (SQL Injection) is the weakness class; a particular CVE in a particular content-management system is a concrete manifestation of that class.
The CWE Top 25 is produced annually using a data-driven scoring methodology. MITRE analyses the previous period's published CVE records from the National Vulnerability Database (NVD), maps each CVE to its root-cause CWE, and combines two factors for each weakness: frequency (how often the weakness appears in real CVEs) and severity (the average CVSS base score of those CVEs). The product of a normalised frequency and a normalised severity yields a score, and the twenty-five highest-scoring weaknesses form that year's list. Because it is re-derived from fresh data each year, the ranking shifts: out-of-bounds write, cross-site scripting, SQL injection, use-after-free and improper input validation have consistently featured near the top in recent editions, while the exact order and membership change annually.
Two closely related MITRE products frequently accompany the Top 25 and should be treated as part of the same assurance toolkit: the CWE/SANS 'On the Cusp' list (weaknesses that narrowly missed the top 25) and the CWE Top 25 Software Errors 'Monster Mitigations' guidance. In addition, MITRE publishes 'views' such as CWE-1000 (Research Concepts), CWE-699 (Software Development) and CWE-1194 (Hardware Design), plus category nodes (for example CWE-1215 Data Validation Issues) that group related weaknesses. The Top 25 is thus best understood as a curated, prioritised entry point into the far larger CWE corpus of over 900 weakness entries.
Key characteristics
- Data-driven and re-derived annually from NVD/CVE data, so it reflects the current real-world threat landscape rather than opinion.
- Root-cause oriented: it targets the weakness that must be fixed, not merely the symptom, enabling durable remediation.
- Language- and platform-agnostic in principle, though many entries (memory-safety weaknesses in particular) are more relevant to C/C++/unmanaged code.
- Hierarchical: each Top 25 entry is a node in the broader CWE tree, with parent categories, child variants and 'peer' relationships.
- Non-prescriptive: it tells you which weaknesses matter most; it does not, by itself, mandate specific controls, though it maps cleanly onto SSDF, ASVS and other prescriptive frameworks.
3. Who must comply with (or should adopt) the CWE Top 25?
The CWE Top 25 is not a regulation, so no organisation is legally 'bound' to it in the way one is bound to the DPDP Act or PCI DSS. However, it is referenced directly and indirectly by numerous mandates, contracts and standards, which effectively makes conformance expected across large parts of the software supply chain. The following table sets out the principal audiences and the driver for adoption.
| Audience / sector | Why the CWE Top 25 applies | Nature of obligation |
|---|---|---|
| Software product companies and ISVs | Customers, security questionnaires and SBOM/attestation requirements ask whether the SDLC addresses the CWE Top 25 | Contractual / market-driven |
| US federal software suppliers | NIST SP 800-218 (SSDF) and the CISA Secure Software Development Attestation Form reference CWE-based weakness reduction | Regulatory (via procurement) |
| Financial services and fintech | RBI, PCI DSS 6.2.4 and secure-coding expectations map to CWE injection, XSS, auth and crypto weaknesses | Regulatory + PCI |
| Healthcare and medical device makers | FDA pre-market cybersecurity guidance expects a weakness-elimination process; CWE is the lingua franca | Regulatory |
| Critical infrastructure / OT vendors | IEC 62443 and CISA 'Secure by Design' pledges cite eliminating whole classes of CWE weaknesses | Regulatory + voluntary pledge |
| Enterprises procuring software | Third-party risk and vendor assurance programmes use the Top 25 as a due-diligence baseline | Internal governance |
| Application security and pentest teams | Findings are classified by CWE-ID for consistent reporting and metrics | Best practice |
| Auditors, QSAs and CERT-In assessors | Used to evidence that secure-development and code-review controls are effective | Assurance methodology |
4. Structure of the CWE Top 25
The Top 25 can be organised into logical weakness families that map to the phases and domains of software engineering. The table below presents a representative structuring of the twenty-five weaknesses commonly appearing in recent editions, grouped by family, with the canonical CWE-ID and a plain-language description. Exact ranking varies by year; the families and identifiers are stable reference points for building an assessment programme.
| Family / domain | CWE-ID | Weakness name | Root cause in one line |
|---|---|---|---|
| Memory safety | CWE-787 | Out-of-bounds Write | Writing past the end/before the start of a buffer |
| Memory safety | CWE-125 | Out-of-bounds Read | Reading past the bounds of a buffer, leaking data |
| Memory safety | CWE-416 | Use After Free | Referencing memory after it has been freed |
| Memory safety | CWE-476 | NULL Pointer Dereference | Dereferencing a pointer that is NULL |
| Memory safety | CWE-190 | Integer Overflow or Wraparound | Arithmetic exceeds the type range, corrupting logic/allocation |
| Memory safety | CWE-119 | Improper Restriction of Operations within Bounds of a Memory Buffer | Generic buffer bounds violation (parent of 787/125) |
| Injection | CWE-79 | Improper Neutralisation of Input During Web Page Generation (XSS) | Untrusted data reflected into HTML/JS without encoding |
| Injection | CWE-89 | Improper Neutralisation of Special Elements used in an SQL Command (SQLi) | Untrusted data concatenated into SQL |
| Injection | CWE-78 | Improper Neutralisation of Special Elements used in an OS Command | Untrusted data passed to a shell/exec |
| Injection | CWE-77 | Improper Neutralisation of Special Elements used in a Command | Generic command injection |
| Injection | CWE-94 | Improper Control of Generation of Code (Code Injection) | Untrusted data interpreted as code (eval, deserialization) |
| Injection | CWE-1321 | Prototype Pollution | Modifying object prototype via crafted keys in JS |
| Input validation | CWE-20 | Improper Input Validation | Failing to validate that input has expected properties |
| Path / file handling | CWE-22 | Improper Limitation of a Pathname to a Restricted Directory (Path Traversal) | '../' escapes the intended directory |
| Path / file handling | CWE-434 | Unrestricted Upload of File with Dangerous Type | Accepting and serving executable uploads |
| Authentication | CWE-287 | Improper Authentication | Identity is not properly verified |
| Authentication | CWE-306 | Missing Authentication for Critical Function | Sensitive action reachable without auth |
| Authorisation | CWE-862 | Missing Authorisation | No access-control check on a resource |
| Authorisation | CWE-863 | Incorrect Authorisation | Access-control check is wrong/bypassable |
| Authorisation | CWE-269 | Improper Privilege Management | Privileges assigned or dropped incorrectly |
| Authorisation | CWE-918 | Server-Side Request Forgery (SSRF) | Server fetches attacker-controlled URLs |
| Web session / CSRF | CWE-352 | Cross-Site Request Forgery | Forged authenticated requests |
| Credentials / secrets | CWE-798 | Use of Hard-coded Credentials | Passwords/keys embedded in code |
| Data exposure | CWE-200 | Exposure of Sensitive Information to an Unauthorised Actor | Leaking sensitive data |
| Resource / deserialisation | CWE-502 | Deserialisation of Untrusted Data | Unsafe object deserialisation leads to RCE |
Each of these entries sits within MITRE's broader research view (CWE-1000) under abstract 'pillar' and 'class' weaknesses such as CWE-664 (Improper Control of a Resource Through its Lifetime), CWE-707 (Improper Neutralisation), CWE-284 (Improper Access Control) and CWE-693 (Protection Mechanism Failure). Understanding these parents helps assessors reason about root cause and about weaknesses that are 'On the Cusp' but not in the current 25.
5. Master assessment checklist
This is the core of the guide. For every weakness family in the Top 25 we provide a dedicated sub-section with a verification table. Each table states, per weakness, what an assessor must verify in the design, code and testing evidence, and the typical evidence artefacts that demonstrate the control is present and effective. No weakness area is skipped. Assessors should complete every row and record a status (Implemented / Partial / Absent / Not Applicable with justification).
5.1 Memory-safety weaknesses (CWE-787, 125, 416, 476, 190, 119)
| What to verify | Typical evidence |
|---|---|
| CWE-787 Out-of-bounds Write: buffers are bounds-checked; safe APIs (strlcpy, snprintf, std::span, Rust slices) replace unsafe copies | Static-analysis reports flagging OOB writes; code showing bounds checks; compiler hardening flags (-D_FORTIFY_SOURCE, -fstack-protector) |
| CWE-125 Out-of-bounds Read: index and length validated before reads; no reads driven by untrusted length fields | SAST/fuzzing findings; unit tests for boundary indices; ASAN/Valgrind runs in CI |
| CWE-416 Use After Free: ownership and lifetime are clear; pointers nulled after free; smart pointers / RAII / borrow checker used | Code review notes; use of unique_ptr/shared_ptr or Rust; ASAN UAF detection in test logs |
| CWE-476 NULL Pointer Dereference: return values and allocations checked before dereference; optional/nullable types used | Static-analysis null-deref findings resolved; defensive checks in code; crash-test evidence |
| CWE-190 Integer Overflow/Wraparound: arithmetic on sizes/lengths uses checked or saturating operations; allocation sizes validated | Use of checked_add/__builtin_mul_overflow; SAST integer-overflow rules enabled; tests for max-value inputs |
| CWE-119 buffer bounds (parent): overall memory-safety strategy documented; migration to memory-safe languages or hardened C/C++ where feasible | Architecture decision records; language-choice rationale; fuzzing harness inventory; sanitiser coverage report |
5.2 Injection weaknesses (CWE-79, 89, 78, 77, 94, 1321)
| What to verify | Typical evidence |
|---|---|
| CWE-79 XSS: all output to HTML/JS/CSS/URL contexts is context-aware encoded; a strict Content-Security-Policy is enforced; templating auto-escapes | CSP headers in responses; framework auto-escaping config; DAST XSS scan clean; code showing output encoding |
| CWE-89 SQL Injection: all queries use parameterised statements / prepared statements / ORM binding; no string concatenation of untrusted data | Code samples of parameterised queries; SAST taint-flow report; ORM usage; DB query logs review |
| CWE-78 OS Command Injection: no shell invocation with untrusted data; use of argument-array exec APIs; allow-listed commands | Code review of exec/subprocess calls; SAST findings; absence of shell=True / os.system with input |
| CWE-77 Command Injection (generic): interpreters (LDAP, XPath, NoSQL, template engines) receive neutralised input | SAST rules for each interpreter; tests injecting metacharacters; secure library usage |
| CWE-94 Code Injection: no eval/exec on untrusted input; template engines run in sandboxed/logic-less mode; dynamic code generation controlled | Grep for eval/Function()/exec; SSTI test results; sandbox configuration |
| CWE-1321 Prototype Pollution: JSON merge/clone functions reject __proto__/constructor keys; use of Map or null-prototype objects | Dependency versions patched; SAST for unsafe merges; tests with polluting payloads |
5.3 Improper input validation (CWE-20)
| What to verify | Typical evidence |
|---|---|
| All external inputs validated against an allow-list of type, length, range, format and canonical form before use | Input-validation schema (JSON Schema, Bean Validation, Joi); server-side validation code (never client-only) |
| Validation occurs on the server side and after canonicalisation/decoding, not before | Code showing decode-then-validate ordering; unit tests for encoded/double-encoded payloads |
| Business-logic constraints (e.g. quantity >= 0, valid state transitions) enforced, not just syntactic checks | Domain-model invariants; negative-path test cases; review notes |
| A consistent, centralised validation layer or framework is used across all entry points (APIs, forms, message queues, files) | Shared validation library; API gateway policy; coverage matrix of endpoints vs validation |
5.4 Path and file-handling weaknesses (CWE-22, 434)
| What to verify | Typical evidence |
|---|---|
| CWE-22 Path Traversal: file paths built from input are canonicalised and confined to a base directory; '../' and absolute paths rejected | Code using realpath/Path.normalize with base-dir containment check; tests with ../ and encoded traversal payloads |
| CWE-434 Unrestricted File Upload: uploads validated by content type and magic bytes; stored outside webroot; randomised names; not executable | Upload handler code; storage-location config; AV/content scanning integration; test attempting to upload a webshell |
| Uploaded files are served with safe Content-Type and Content-Disposition and never interpreted as code by the server | Response header config; static-serving configuration; no execute permissions on upload dir |
5.5 Authentication weaknesses (CWE-287, 306, 798)
| What to verify | Typical evidence |
|---|---|
| CWE-287 Improper Authentication: authentication uses vetted libraries/protocols (OIDC, SAML); MFA available; no auth bypass via alternate paths | IdP/SSO configuration; MFA enforcement policy; pentest attempts at auth bypass; session-management review |
| CWE-306 Missing Authentication for Critical Function: every sensitive endpoint/admin/API requires authentication; no unauthenticated debug or management interfaces | Route-level auth middleware; endpoint inventory with auth requirement; scan for unauthenticated admin paths |
| CWE-798 Hard-coded Credentials: no passwords, API keys, tokens or certificates embedded in source, config or images; secrets from a vault | Secret-scanning report (gitleaks/trufflehog) clean; secrets-manager/vault integration; rotation policy evidence |
5.6 Authorisation and access-control weaknesses (CWE-862, 863, 269, 918)
| What to verify | Typical evidence |
|---|---|
| CWE-862 Missing Authorisation: every object/resource access performs a server-side authorisation check tied to the authenticated principal | Central authorisation policy (RBAC/ABAC); IDOR test results; code review of object-level checks |
| CWE-863 Incorrect Authorisation: authorisation logic is correct, deny-by-default, and not bypassable via role confusion or parameter tampering | Access-control matrix; policy-as-code tests; horizontal/vertical privilege-escalation test results |
| CWE-269 Improper Privilege Management: least privilege enforced; privileges dropped after use; no unnecessary setuid/admin; separation of duties | Service account permission review; sudo/setuid inventory; container runAsNonRoot; privilege-drop code |
| CWE-918 SSRF: outbound requests to user-supplied URLs are allow-listed; internal/metadata IP ranges blocked; DNS-rebinding mitigated | Egress allow-list config; block of 169.254.169.254 and RFC1918; SSRF pentest evidence; proxy/firewall rules |
5.7 Web session and request-forgery weaknesses (CWE-352)
| What to verify | Typical evidence |
|---|---|
| CWE-352 CSRF: state-changing requests require anti-CSRF tokens or SameSite cookies; safe methods are idempotent; JSON APIs require custom headers/CORS | Anti-CSRF token implementation; SameSite=Lax/Strict cookie config; CSRF pentest results; CORS policy review |
| Sensitive operations re-authenticate or require step-up (e.g. password change, fund transfer) | Re-auth flow evidence; step-up MFA config; test forging a state-changing request |
5.8 Sensitive-data exposure (CWE-200)
| What to verify | Typical evidence |
|---|---|
| CWE-200 Information Exposure: errors, stack traces, verbose responses and debug endpoints do not leak sensitive data in production | Generic error-handling config; production logging policy; DAST/pentest checks for verbose errors |
| Sensitive data is classified, encrypted in transit and at rest, and minimised in API responses and logs | Data-classification register; TLS config; field-level encryption; log-redaction rules |
| Access to sensitive data is authorised and audited; no excessive data returned by APIs | Authorisation review; API response-field review; audit-log samples |
5.9 Unsafe deserialisation (CWE-502)
| What to verify | Typical evidence |
|---|---|
| CWE-502 Deserialisation of Untrusted Data: native/binary deserialisers (Java, .NET, Python pickle, PHP) are not fed untrusted input; safe formats (JSON with schema) preferred | Code review of deserialisation calls; allow-list/look-ahead deserialisation config; SAST findings resolved |
| Where deserialisation of untrusted data is unavoidable, type allow-lists and integrity checks (signatures/HMAC) are enforced | Deserialisation allow-list; HMAC verification code; tests with malicious gadget payloads |
5.10 Cross-cutting secure-development controls
Beyond the individual weaknesses, assessors should verify the systemic controls that make weakness elimination durable rather than accidental.
| What to verify | Typical evidence |
|---|---|
| Threat modelling is performed for new/changed features and identifies relevant CWE classes | Threat-model documents; DFDs; abuse cases mapped to CWE-IDs |
| SAST, DAST, SCA and secret scanning run in CI and block on high-severity findings | Pipeline config; scan reports; gating policy; trend of findings over releases |
| Findings are tracked by CWE-ID with SLAs for remediation by severity | Vulnerability register keyed on CWE; remediation-SLA policy; ageing report |
| Security code review / pull-request review covers Top 25 patterns via a checklist | PR templates; review checklists; sampled review comments referencing CWE |
| Developers receive secure-coding training covering the Top 25 | Training records; completion rates; assessment scores |
| Dependencies are inventoried (SBOM) and monitored for CVEs mapping to these CWEs | SBOM artefacts; SCA dashboards; patch cadence evidence |
6. Scoping
Because the CWE Top 25 is a weakness catalogue rather than a system-boundary standard, scoping is about deciding which assets, code repositories and weakness classes are in play and to what depth. A disciplined scope statement prevents both under-assessment (ignoring memory-safety in a mixed C/Java estate) and wasted effort (fuzzing pure-managed code for use-after-free).
- Enumerate the software portfolio: first-party applications, services, APIs, mobile apps, firmware/embedded, infrastructure-as-code and significant third-party components.
- Classify each asset by technology stack, because relevance of weaknesses differs: memory-safety CWEs (787/125/416/476/190) dominate C/C++/unmanaged and embedded code, while injection, authN/authZ and CSRF dominate web and API tiers.
- Rank assets by exposure and criticality (internet-facing, handles PII/PCI/PHI, safety-relevant) to prioritise depth of assessment.
- Define which analysis techniques apply per asset class: SAST/SCA for all, DAST for web/API, fuzzing and sanitisers for native code, manual review for high-risk components.
- Decide the CWE baseline: current-year Top 25 as a minimum, optionally extended with 'On the Cusp' entries and organisation-specific weaknesses from past incidents.
- State exclusions with justification (e.g. a weakness class marked Not Applicable because the technology cannot exhibit it), and record residual-risk acceptance owners.
- Fix the assessment period and the CVE/CWE list version, since the Top 25 changes annually.
7. Implementation approach
Embedding CWE Top 25 assurance into an organisation is a programme, not a single scan. We recommend a five-phase approach. Each phase lists activities and the deliverables an auditor should expect.
Phase 1 — Baseline and gap analysis
- Activities: inventory applications and stacks; run an initial SAST/SCA/secret-scan/DAST sweep; map existing findings to CWE-IDs; assess current SDLC practices against the master checklist; identify the highest-risk weakness classes per asset.
- Deliverables: application and technology inventory; CWE-mapped current-state findings register; gap-analysis report; prioritised remediation backlog; scoping and applicability statement.
Phase 2 — Guardrails and secure-development foundation
- Activities: adopt secure coding standards mapped to the Top 25; introduce or configure safe frameworks/libraries (parameterised DB access, auto-escaping templates, vetted auth/crypto libraries); enable compiler hardening and sanitisers for native code; establish a secrets-management solution; roll out developer secure-coding training.
- Deliverables: secure-coding standard document; approved libraries/frameworks list; compiler-hardening configuration; secrets-vault integration; training curriculum and initial completion records.
Phase 3 — Pipeline integration and gating
- Activities: integrate SAST, DAST, SCA and secret scanning into CI/CD; define severity thresholds that fail builds; wire findings into the issue tracker keyed by CWE-ID; add PR security-review checklists; introduce fuzzing for critical native components.
- Deliverables: CI/CD pipeline configuration; gating policy; CWE-tagged vulnerability tracking; PR checklist templates; fuzzing harnesses and coverage reports.
Phase 4 — Remediation and hardening
- Activities: remediate the prioritised backlog starting with highest score (frequency x severity); apply 'monster mitigations' that eliminate whole weakness classes (e.g. move to memory-safe languages, adopt ORM everywhere, enforce output encoding globally, deny-by-default authorisation); retest and confirm closure.
- Deliverables: remediation evidence per finding; before/after scan results; architecture-decision records for class-level eliminations; residual-risk register with acceptance sign-off.
Phase 5 — Continuous assurance and governance
- Activities: schedule periodic re-assessment against each year's refreshed Top 25; track KPIs and weakness trends; run threat modelling on changes; conduct annual penetration tests; feed incident and bug-bounty findings back into standards and training.
- Deliverables: recurring assessment reports; KPI dashboard; updated threat models; pentest reports; governance/steering minutes; annual programme review.
8. Maturity / capability model
To measure programme maturity we use a five-level capability model. Assessors rate the organisation per weakness family and overall, then track improvement over time. The model draws on the spirit of CMMI, OWASP SAMM and NIST SSDF.
| Level | Name | Characteristics | Illustrative evidence |
|---|---|---|---|
| 0 | Absent | No awareness of CWE weakness classes; no secure-coding standard; ad-hoc or no testing | No SAST/DAST; findings not classified |
| 1 | Initial | Reactive fixing of individual bugs; some scanning but no CWE mapping or gating | Occasional scan reports; no SLAs |
| 2 | Managed | Secure-coding standard exists; SAST/SCA in CI; findings mapped to CWE with remediation SLAs | CWE-tagged register; training records |
| 3 | Defined | Consistent guardrails (safe libraries), gated pipelines, threat modelling and PR security review across teams | Pipeline gating policy; threat models; PR checklists |
| 4 | Quantitatively managed | Metrics-driven: weakness density, escape rate and MTTR tracked and trending down; class-level eliminations delivered | KPI dashboards; trend analysis; ADRs eliminating classes |
| 5 | Optimising | Continuous improvement; memory-safe-by-default; bug-bounty and incident feedback loops; assurance embedded and audited | Bug-bounty data; annual review; near-zero recurrence of top classes |
9. Assessment and audit approach
An auditor-grade assessment against the CWE Top 25 follows a repeatable methodology that blends documentation review, tooling corroboration and manual verification.
- Confirm scope and applicability: agree the asset list, technology stacks, in-scope weakness classes and the Top 25 version/year to be used.
- Review documentation: secure-coding standards, threat models, SDLC policies, prior scan reports and the vulnerability register keyed by CWE.
- Corroborate with tooling: obtain or re-run SAST, DAST, SCA and secret-scan results; verify they cover the codebase and that gating is enforced, not merely configured.
- Perform manual verification: sample high-risk code paths for each weakness family (injection sinks, memory operations, auth/authz checks, deserialisation) and inspect actual mitigations.
- Conduct or review penetration testing: validate exploitability of representative weaknesses (XSS, SQLi, IDOR/authz, SSRF, path traversal, CSRF) with proof-of-concept where safe.
- Assess process effectiveness: check remediation SLAs, ageing, escape rate and that CI gating actually blocks high-severity findings.
- Rate maturity per weakness family using the capability model and record status against every master-checklist row.
- Report findings by CWE-ID with severity, evidence, root cause and remediation guidance; distinguish design flaws from implementation bugs.
- Agree a remediation plan with owners and dates; define re-test criteria.
- Schedule re-assessment aligned to the annually refreshed Top 25 and to major releases.
10. Evidence request list
The following categorised artefacts should be requested at the outset of an assessment. Availability and quality of this evidence is itself a maturity signal.
- Governance and policy: secure-coding standard mapped to the Top 25; SDLC/SSDLC policy; vulnerability-management and remediation-SLA policy; secrets-management policy.
- Architecture and design: threat models and data-flow diagrams; architecture-decision records; access-control (RBAC/ABAC) model; data-classification register.
- Tooling outputs: latest SAST, DAST, SCA and secret-scanning reports; fuzzing and sanitiser (ASAN/UBSAN/Valgrind) results; CI/CD pipeline configuration showing gating.
- Vulnerability management: CWE-tagged vulnerability register; ageing/MTTR reports; remediation evidence and re-test results; residual-risk acceptance records.
- Code and configuration: samples of parameterised queries, output encoding, authorisation checks, input validation, deserialisation handling; compiler-hardening flags; CSP/SameSite/CORS headers.
- Supply chain: SBOMs; approved-libraries list; dependency-patch cadence evidence.
- People and process: developer secure-coding training records; PR security-review checklists and sampled reviews; penetration-test reports; bug-bounty/incident records feeding back into standards.
11. Roles and responsibilities
| Role | Primary responsibilities | Accountable for |
|---|---|---|
| CISO / Head of Security | Owns the programme, sets risk appetite and severity thresholds, reports to the board | Overall weakness-reduction posture |
| Application Security Lead / Architect | Maintains secure-coding standard, tooling and gating; adjudicates findings; runs threat modelling | Effectiveness of guardrails and gates |
| Development leads / engineers | Write and review code to eliminate Top 25 weaknesses; remediate findings within SLA | Secure implementation and remediation |
| DevSecOps / Platform team | Integrates and maintains SAST/DAST/SCA/secret scanning and fuzzing in CI/CD | Pipeline coverage and reliability |
| QA / Test engineering | Builds negative and abuse-case tests; validates fixes | Test coverage of weakness classes |
| Penetration testers / red team | Independently validate exploitability of weaknesses | Assurance of real-world resistance |
| Product owners | Prioritise security work in the backlog; accept residual risk with sign-off | Risk-informed delivery decisions |
| Internal audit / QSA / assessor | Independently assesses conformance and evidence quality | Objective assurance opinion |
12. KPIs to track
- Weakness density: number of Top 25 findings per 1,000 lines of code or per application, trended over releases.
- Coverage: percentage of repositories/services under SAST, DAST, SCA and secret scanning.
- Gating efficacy: percentage of builds correctly blocked on high-severity CWE findings.
- Mean time to remediate (MTTR) by severity, and percentage of findings remediated within SLA.
- Escape rate: proportion of Top 25 weaknesses found in production or by external testers versus caught pre-release.
- Recurrence rate: reappearance of the same CWE class after a class-level mitigation.
- Class-elimination progress: number of Top 25 classes designed out (e.g. no raw SQL anywhere, memory-safe language adoption percentage).
- Training coverage: percentage of developers current on secure-coding training and their assessment scores.
- Dependency hygiene: mean age of known-vulnerable dependencies and patch cadence.
- Maturity score per weakness family from the capability model, trended over time.
13. Readiness checklist
- Software and technology inventory complete, with stacks classified for weakness applicability.
- Secure-coding standard mapped to the current-year CWE Top 25 published and adopted.
- SAST, DAST, SCA and secret scanning integrated into CI/CD with enforced severity gating.
- Findings tracked by CWE-ID with defined remediation SLAs and ageing reports.
- Parameterised database access, context-aware output encoding and CSP enforced across web/API tiers.
- Server-side, allow-list input validation applied at every entry point.
- Deny-by-default authorisation and object-level access checks verified (no IDOR).
- Authentication uses vetted protocols with MFA; no hard-coded credentials (secret scan clean).
- SSRF, path traversal and unrestricted-upload protections implemented and tested.
- Unsafe deserialisation avoided or constrained by type allow-lists and integrity checks.
- Memory-safety controls (bounds checks, sanitisers, hardening, safe languages) in place for native code.
- Threat modelling performed for new and changed features and mapped to CWE classes.
- Developers trained on the Top 25; PR security-review checklist in use.
- SBOM produced and dependencies monitored for relevant CVEs.
- Independent penetration test and re-assessment scheduled against each annual Top 25 refresh.
14. Common gaps
- Client-side-only validation, leaving server endpoints exposed to CWE-20 and injection weaknesses.
- Parameterised queries used in most places but bypassed for 'dynamic' reporting or search, reintroducing CWE-89.
- Output encoding applied inconsistently across contexts, so CWE-79 XSS persists in JS/attribute/URL sinks.
- Authorisation checks present at the UI/route level but missing at the object level, causing CWE-862/863 IDOR.
- Secrets removed from code but still present in CI logs, container images or history, defeating CWE-798 controls.
- SSRF (CWE-918) overlooked in features that fetch remote resources (webhooks, previews, image proxies).
- Memory-safety tooling (ASAN/fuzzing) configured but not run continuously, so CWE-787/125/416 regress.
- Scans run but not gated, so findings accumulate without enforced remediation.
- Findings not mapped to CWE-IDs, preventing trend analysis and class-level elimination.
- Deserialisation of untrusted data (CWE-502) hidden inside third-party libraries and frameworks, unnoticed by manual review.
- Programme frozen against an old Top 25, missing newly risen weaknesses in the current year's list.
- Prototype pollution (CWE-1321) and other ecosystem-specific weaknesses ignored because tooling defaults do not detect them.
15. CWE Top 25 mapped to other frameworks
The Top 25 dovetails with prescriptive standards. The table shows how key weaknesses and the programme as a whole align with widely used frameworks, enabling a single body of evidence to satisfy multiple requirements.
| Framework / standard | How it relates to the CWE Top 25 | Example linkage |
|---|---|---|
| OWASP Top 10 | Each OWASP category aggregates multiple CWEs; near-direct overlap for web weaknesses | A03 Injection maps to CWE-79/89/78/94; A01 Broken Access Control to CWE-862/863/22/918 |
| OWASP ASVS | Provides testable requirements that mitigate specific CWEs | V5 Validation/Encoding addresses CWE-20/79/89; V4 Access Control addresses CWE-862/863 |
| NIST SP 800-218 (SSDF) | Practices PW.4-PW.8 call for weakness reduction; CWE is the weakness taxonomy | PW.5/PW.7/PW.8 evidenced by CWE-mapped SAST/DAST and code review |
| PCI DSS v4.0 | Requirement 6 mandates secure coding against common weaknesses | 6.2.4 lists injection, XSS, access-control and other CWE-class weaknesses |
| ISO/IEC 27001 / 27002 | Annex A control 8.28 (secure coding) and 8.29 (security testing) | CWE-based standards and testing evidence support 8.25-8.29 |
| ISO/IEC 5055 (CISQ) | Measures software quality including security weaknesses drawn from CWE | Security measure enumerates a set of CWEs overlapping the Top 25 |
| MITRE ATT&CK | Weaknesses enable techniques; CWE provides the root cause behind exploited access | Exploitation-of-public-facing-application (T1190) often via CWE-89/79/502 |
| IEC 62443 (OT/ICS) | Secure-development lifecycle requirements expect weakness elimination | SR/CR requirements evidenced by CWE-mapped SDLC controls |
| CERT Secure Coding Standards | Rule violations correspond to CWE weaknesses | Numerous CERT C/Java rules map directly to CWE-787/190/476/89 |
16. How CyberSigma helps
Frequently asked questions
Need help with SANS / CWE?
CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.
