We use strictly necessary cookies to run this site, and — only with your consent — analytics & marketing cookies (Google Analytics, Google Tag Manager) to improve it. No analytics or marketing cookies are set unless you accept. See our Cookie Policy and Privacy Policy.

Knowledge Center / SANS / CWE
MITRE / SANS · Global

SANS / CWE Top 25

The most dangerous and common software weaknesses developers must avoid.

1. Introduction: The SANS / CWE Top 25 Most Dangerous Software Weaknesses

The CWE Top 25 Most Dangerous Software Weaknesses, historically published jointly by MITRE and the SANS Institute and now maintained by the MITRE Corporation on behalf of the Common Weakness Enumeration (CWE) programme, is a demonstrative and consensus-driven list of the software and hardware weaknesses that are most prevalent and most impactful across real-world systems. Unlike a prescriptive control framework such as PCI DSS or ISO/IEC 27001, the CWE Top 25 is a weakness taxonomy: it names, categorises and ranks the underlying flaws in code and design that adversaries repeatedly exploit. For any organisation building, procuring or assuring software, the CWE Top 25 provides a defensible, evidence-backed baseline against which secure-development practices, static and dynamic testing, code review, and vendor assurance can be measured.

This guide is written for engineering leaders, application-security architects, product security teams, QSAs, CERT-In empanelled assessors and internal auditors who must translate the CWE Top 25 from an academic list into an operational assurance programme. It sets out what the list is, who should use it, how it is structured, a master assessment checklist covering every one of the twenty-five weaknesses and their supporting categories, a phased implementation approach, a maturity model, an audit methodology, evidence expectations, roles, KPIs and mappings to adjacent frameworks. Throughout, we adopt British/Indian English and auditor-grade specificity, using the canonical CWE identifiers (CWE-79, CWE-787, and so on) so that findings are unambiguous and traceable.

Copyright and attribution note
Common Weakness Enumeration (CWE) is a trademark of The MITRE Corporation. The CWE List, the CWE Top 25 and associated identifiers (CWE-IDs) are the copyright of MITRE and are published for public benefit. SANS Institute co-branded early editions of the list. This guide is an original, independent interpretation authored by CyberSigma for educational and assurance purposes. It does not reproduce MITRE's or SANS's copyrighted descriptive text; all weakness explanations, verification steps and evidence guidance below are our own. Always consult the authoritative CWE List at cwe.mitre.org for the definitive, versioned definitions and the current year's ranked Top 25.

2. What is the SANS / CWE Top 25?

The Common Weakness Enumeration is a community-developed, formal dictionary of common software and hardware weakness types. A weakness (as distinct from a vulnerability) is a condition in the architecture, design, code or deployment of a product that, under the right circumstances, can contribute to the introduction of a vulnerability. Where a vulnerability (tracked as a CVE) is a specific, exploitable instance in a specific product, a weakness (tracked as a CWE) is the reusable root-cause pattern. For example, CWE-89 (SQL Injection) is the weakness class; a particular CVE in a particular content-management system is a concrete manifestation of that class.

The CWE Top 25 is produced annually using a data-driven scoring methodology. MITRE analyses the previous period's published CVE records from the National Vulnerability Database (NVD), maps each CVE to its root-cause CWE, and combines two factors for each weakness: frequency (how often the weakness appears in real CVEs) and severity (the average CVSS base score of those CVEs). The product of a normalised frequency and a normalised severity yields a score, and the twenty-five highest-scoring weaknesses form that year's list. Because it is re-derived from fresh data each year, the ranking shifts: out-of-bounds write, cross-site scripting, SQL injection, use-after-free and improper input validation have consistently featured near the top in recent editions, while the exact order and membership change annually.

Two closely related MITRE products frequently accompany the Top 25 and should be treated as part of the same assurance toolkit: the CWE/SANS 'On the Cusp' list (weaknesses that narrowly missed the top 25) and the CWE Top 25 Software Errors 'Monster Mitigations' guidance. In addition, MITRE publishes 'views' such as CWE-1000 (Research Concepts), CWE-699 (Software Development) and CWE-1194 (Hardware Design), plus category nodes (for example CWE-1215 Data Validation Issues) that group related weaknesses. The Top 25 is thus best understood as a curated, prioritised entry point into the far larger CWE corpus of over 900 weakness entries.

Key characteristics

  • Data-driven and re-derived annually from NVD/CVE data, so it reflects the current real-world threat landscape rather than opinion.
  • Root-cause oriented: it targets the weakness that must be fixed, not merely the symptom, enabling durable remediation.
  • Language- and platform-agnostic in principle, though many entries (memory-safety weaknesses in particular) are more relevant to C/C++/unmanaged code.
  • Hierarchical: each Top 25 entry is a node in the broader CWE tree, with parent categories, child variants and 'peer' relationships.
  • Non-prescriptive: it tells you which weaknesses matter most; it does not, by itself, mandate specific controls, though it maps cleanly onto SSDF, ASVS and other prescriptive frameworks.

3. Who must comply with (or should adopt) the CWE Top 25?

The CWE Top 25 is not a regulation, so no organisation is legally 'bound' to it in the way one is bound to the DPDP Act or PCI DSS. However, it is referenced directly and indirectly by numerous mandates, contracts and standards, which effectively makes conformance expected across large parts of the software supply chain. The following table sets out the principal audiences and the driver for adoption.

Audience / sectorWhy the CWE Top 25 appliesNature of obligation
Software product companies and ISVsCustomers, security questionnaires and SBOM/attestation requirements ask whether the SDLC addresses the CWE Top 25Contractual / market-driven
US federal software suppliersNIST SP 800-218 (SSDF) and the CISA Secure Software Development Attestation Form reference CWE-based weakness reductionRegulatory (via procurement)
Financial services and fintechRBI, PCI DSS 6.2.4 and secure-coding expectations map to CWE injection, XSS, auth and crypto weaknessesRegulatory + PCI
Healthcare and medical device makersFDA pre-market cybersecurity guidance expects a weakness-elimination process; CWE is the lingua francaRegulatory
Critical infrastructure / OT vendorsIEC 62443 and CISA 'Secure by Design' pledges cite eliminating whole classes of CWE weaknessesRegulatory + voluntary pledge
Enterprises procuring softwareThird-party risk and vendor assurance programmes use the Top 25 as a due-diligence baselineInternal governance
Application security and pentest teamsFindings are classified by CWE-ID for consistent reporting and metricsBest practice
Auditors, QSAs and CERT-In assessorsUsed to evidence that secure-development and code-review controls are effectiveAssurance methodology

4. Structure of the CWE Top 25

The Top 25 can be organised into logical weakness families that map to the phases and domains of software engineering. The table below presents a representative structuring of the twenty-five weaknesses commonly appearing in recent editions, grouped by family, with the canonical CWE-ID and a plain-language description. Exact ranking varies by year; the families and identifiers are stable reference points for building an assessment programme.

Family / domainCWE-IDWeakness nameRoot cause in one line
Memory safetyCWE-787Out-of-bounds WriteWriting past the end/before the start of a buffer
Memory safetyCWE-125Out-of-bounds ReadReading past the bounds of a buffer, leaking data
Memory safetyCWE-416Use After FreeReferencing memory after it has been freed
Memory safetyCWE-476NULL Pointer DereferenceDereferencing a pointer that is NULL
Memory safetyCWE-190Integer Overflow or WraparoundArithmetic exceeds the type range, corrupting logic/allocation
Memory safetyCWE-119Improper Restriction of Operations within Bounds of a Memory BufferGeneric buffer bounds violation (parent of 787/125)
InjectionCWE-79Improper Neutralisation of Input During Web Page Generation (XSS)Untrusted data reflected into HTML/JS without encoding
InjectionCWE-89Improper Neutralisation of Special Elements used in an SQL Command (SQLi)Untrusted data concatenated into SQL
InjectionCWE-78Improper Neutralisation of Special Elements used in an OS CommandUntrusted data passed to a shell/exec
InjectionCWE-77Improper Neutralisation of Special Elements used in a CommandGeneric command injection
InjectionCWE-94Improper Control of Generation of Code (Code Injection)Untrusted data interpreted as code (eval, deserialization)
InjectionCWE-1321Prototype PollutionModifying object prototype via crafted keys in JS
Input validationCWE-20Improper Input ValidationFailing to validate that input has expected properties
Path / file handlingCWE-22Improper Limitation of a Pathname to a Restricted Directory (Path Traversal)'../' escapes the intended directory
Path / file handlingCWE-434Unrestricted Upload of File with Dangerous TypeAccepting and serving executable uploads
AuthenticationCWE-287Improper AuthenticationIdentity is not properly verified
AuthenticationCWE-306Missing Authentication for Critical FunctionSensitive action reachable without auth
AuthorisationCWE-862Missing AuthorisationNo access-control check on a resource
AuthorisationCWE-863Incorrect AuthorisationAccess-control check is wrong/bypassable
AuthorisationCWE-269Improper Privilege ManagementPrivileges assigned or dropped incorrectly
AuthorisationCWE-918Server-Side Request Forgery (SSRF)Server fetches attacker-controlled URLs
Web session / CSRFCWE-352Cross-Site Request ForgeryForged authenticated requests
Credentials / secretsCWE-798Use of Hard-coded CredentialsPasswords/keys embedded in code
Data exposureCWE-200Exposure of Sensitive Information to an Unauthorised ActorLeaking sensitive data
Resource / deserialisationCWE-502Deserialisation of Untrusted DataUnsafe object deserialisation leads to RCE

Each of these entries sits within MITRE's broader research view (CWE-1000) under abstract 'pillar' and 'class' weaknesses such as CWE-664 (Improper Control of a Resource Through its Lifetime), CWE-707 (Improper Neutralisation), CWE-284 (Improper Access Control) and CWE-693 (Protection Mechanism Failure). Understanding these parents helps assessors reason about root cause and about weaknesses that are 'On the Cusp' but not in the current 25.

5. Master assessment checklist

This is the core of the guide. For every weakness family in the Top 25 we provide a dedicated sub-section with a verification table. Each table states, per weakness, what an assessor must verify in the design, code and testing evidence, and the typical evidence artefacts that demonstrate the control is present and effective. No weakness area is skipped. Assessors should complete every row and record a status (Implemented / Partial / Absent / Not Applicable with justification).

5.1 Memory-safety weaknesses (CWE-787, 125, 416, 476, 190, 119)

What to verifyTypical evidence
CWE-787 Out-of-bounds Write: buffers are bounds-checked; safe APIs (strlcpy, snprintf, std::span, Rust slices) replace unsafe copiesStatic-analysis reports flagging OOB writes; code showing bounds checks; compiler hardening flags (-D_FORTIFY_SOURCE, -fstack-protector)
CWE-125 Out-of-bounds Read: index and length validated before reads; no reads driven by untrusted length fieldsSAST/fuzzing findings; unit tests for boundary indices; ASAN/Valgrind runs in CI
CWE-416 Use After Free: ownership and lifetime are clear; pointers nulled after free; smart pointers / RAII / borrow checker usedCode review notes; use of unique_ptr/shared_ptr or Rust; ASAN UAF detection in test logs
CWE-476 NULL Pointer Dereference: return values and allocations checked before dereference; optional/nullable types usedStatic-analysis null-deref findings resolved; defensive checks in code; crash-test evidence
CWE-190 Integer Overflow/Wraparound: arithmetic on sizes/lengths uses checked or saturating operations; allocation sizes validatedUse of checked_add/__builtin_mul_overflow; SAST integer-overflow rules enabled; tests for max-value inputs
CWE-119 buffer bounds (parent): overall memory-safety strategy documented; migration to memory-safe languages or hardened C/C++ where feasibleArchitecture decision records; language-choice rationale; fuzzing harness inventory; sanitiser coverage report

5.2 Injection weaknesses (CWE-79, 89, 78, 77, 94, 1321)

What to verifyTypical evidence
CWE-79 XSS: all output to HTML/JS/CSS/URL contexts is context-aware encoded; a strict Content-Security-Policy is enforced; templating auto-escapesCSP headers in responses; framework auto-escaping config; DAST XSS scan clean; code showing output encoding
CWE-89 SQL Injection: all queries use parameterised statements / prepared statements / ORM binding; no string concatenation of untrusted dataCode samples of parameterised queries; SAST taint-flow report; ORM usage; DB query logs review
CWE-78 OS Command Injection: no shell invocation with untrusted data; use of argument-array exec APIs; allow-listed commandsCode review of exec/subprocess calls; SAST findings; absence of shell=True / os.system with input
CWE-77 Command Injection (generic): interpreters (LDAP, XPath, NoSQL, template engines) receive neutralised inputSAST rules for each interpreter; tests injecting metacharacters; secure library usage
CWE-94 Code Injection: no eval/exec on untrusted input; template engines run in sandboxed/logic-less mode; dynamic code generation controlledGrep for eval/Function()/exec; SSTI test results; sandbox configuration
CWE-1321 Prototype Pollution: JSON merge/clone functions reject __proto__/constructor keys; use of Map or null-prototype objectsDependency versions patched; SAST for unsafe merges; tests with polluting payloads

5.3 Improper input validation (CWE-20)

What to verifyTypical evidence
All external inputs validated against an allow-list of type, length, range, format and canonical form before useInput-validation schema (JSON Schema, Bean Validation, Joi); server-side validation code (never client-only)
Validation occurs on the server side and after canonicalisation/decoding, not beforeCode showing decode-then-validate ordering; unit tests for encoded/double-encoded payloads
Business-logic constraints (e.g. quantity >= 0, valid state transitions) enforced, not just syntactic checksDomain-model invariants; negative-path test cases; review notes
A consistent, centralised validation layer or framework is used across all entry points (APIs, forms, message queues, files)Shared validation library; API gateway policy; coverage matrix of endpoints vs validation

5.4 Path and file-handling weaknesses (CWE-22, 434)

What to verifyTypical evidence
CWE-22 Path Traversal: file paths built from input are canonicalised and confined to a base directory; '../' and absolute paths rejectedCode using realpath/Path.normalize with base-dir containment check; tests with ../ and encoded traversal payloads
CWE-434 Unrestricted File Upload: uploads validated by content type and magic bytes; stored outside webroot; randomised names; not executableUpload handler code; storage-location config; AV/content scanning integration; test attempting to upload a webshell
Uploaded files are served with safe Content-Type and Content-Disposition and never interpreted as code by the serverResponse header config; static-serving configuration; no execute permissions on upload dir

5.5 Authentication weaknesses (CWE-287, 306, 798)

What to verifyTypical evidence
CWE-287 Improper Authentication: authentication uses vetted libraries/protocols (OIDC, SAML); MFA available; no auth bypass via alternate pathsIdP/SSO configuration; MFA enforcement policy; pentest attempts at auth bypass; session-management review
CWE-306 Missing Authentication for Critical Function: every sensitive endpoint/admin/API requires authentication; no unauthenticated debug or management interfacesRoute-level auth middleware; endpoint inventory with auth requirement; scan for unauthenticated admin paths
CWE-798 Hard-coded Credentials: no passwords, API keys, tokens or certificates embedded in source, config or images; secrets from a vaultSecret-scanning report (gitleaks/trufflehog) clean; secrets-manager/vault integration; rotation policy evidence

5.6 Authorisation and access-control weaknesses (CWE-862, 863, 269, 918)

What to verifyTypical evidence
CWE-862 Missing Authorisation: every object/resource access performs a server-side authorisation check tied to the authenticated principalCentral authorisation policy (RBAC/ABAC); IDOR test results; code review of object-level checks
CWE-863 Incorrect Authorisation: authorisation logic is correct, deny-by-default, and not bypassable via role confusion or parameter tamperingAccess-control matrix; policy-as-code tests; horizontal/vertical privilege-escalation test results
CWE-269 Improper Privilege Management: least privilege enforced; privileges dropped after use; no unnecessary setuid/admin; separation of dutiesService account permission review; sudo/setuid inventory; container runAsNonRoot; privilege-drop code
CWE-918 SSRF: outbound requests to user-supplied URLs are allow-listed; internal/metadata IP ranges blocked; DNS-rebinding mitigatedEgress allow-list config; block of 169.254.169.254 and RFC1918; SSRF pentest evidence; proxy/firewall rules

5.7 Web session and request-forgery weaknesses (CWE-352)

What to verifyTypical evidence
CWE-352 CSRF: state-changing requests require anti-CSRF tokens or SameSite cookies; safe methods are idempotent; JSON APIs require custom headers/CORSAnti-CSRF token implementation; SameSite=Lax/Strict cookie config; CSRF pentest results; CORS policy review
Sensitive operations re-authenticate or require step-up (e.g. password change, fund transfer)Re-auth flow evidence; step-up MFA config; test forging a state-changing request

5.8 Sensitive-data exposure (CWE-200)

What to verifyTypical evidence
CWE-200 Information Exposure: errors, stack traces, verbose responses and debug endpoints do not leak sensitive data in productionGeneric error-handling config; production logging policy; DAST/pentest checks for verbose errors
Sensitive data is classified, encrypted in transit and at rest, and minimised in API responses and logsData-classification register; TLS config; field-level encryption; log-redaction rules
Access to sensitive data is authorised and audited; no excessive data returned by APIsAuthorisation review; API response-field review; audit-log samples

5.9 Unsafe deserialisation (CWE-502)

What to verifyTypical evidence
CWE-502 Deserialisation of Untrusted Data: native/binary deserialisers (Java, .NET, Python pickle, PHP) are not fed untrusted input; safe formats (JSON with schema) preferredCode review of deserialisation calls; allow-list/look-ahead deserialisation config; SAST findings resolved
Where deserialisation of untrusted data is unavoidable, type allow-lists and integrity checks (signatures/HMAC) are enforcedDeserialisation allow-list; HMAC verification code; tests with malicious gadget payloads

5.10 Cross-cutting secure-development controls

Beyond the individual weaknesses, assessors should verify the systemic controls that make weakness elimination durable rather than accidental.

What to verifyTypical evidence
Threat modelling is performed for new/changed features and identifies relevant CWE classesThreat-model documents; DFDs; abuse cases mapped to CWE-IDs
SAST, DAST, SCA and secret scanning run in CI and block on high-severity findingsPipeline config; scan reports; gating policy; trend of findings over releases
Findings are tracked by CWE-ID with SLAs for remediation by severityVulnerability register keyed on CWE; remediation-SLA policy; ageing report
Security code review / pull-request review covers Top 25 patterns via a checklistPR templates; review checklists; sampled review comments referencing CWE
Developers receive secure-coding training covering the Top 25Training records; completion rates; assessment scores
Dependencies are inventoried (SBOM) and monitored for CVEs mapping to these CWEsSBOM artefacts; SCA dashboards; patch cadence evidence

6. Scoping

Because the CWE Top 25 is a weakness catalogue rather than a system-boundary standard, scoping is about deciding which assets, code repositories and weakness classes are in play and to what depth. A disciplined scope statement prevents both under-assessment (ignoring memory-safety in a mixed C/Java estate) and wasted effort (fuzzing pure-managed code for use-after-free).

  • Enumerate the software portfolio: first-party applications, services, APIs, mobile apps, firmware/embedded, infrastructure-as-code and significant third-party components.
  • Classify each asset by technology stack, because relevance of weaknesses differs: memory-safety CWEs (787/125/416/476/190) dominate C/C++/unmanaged and embedded code, while injection, authN/authZ and CSRF dominate web and API tiers.
  • Rank assets by exposure and criticality (internet-facing, handles PII/PCI/PHI, safety-relevant) to prioritise depth of assessment.
  • Define which analysis techniques apply per asset class: SAST/SCA for all, DAST for web/API, fuzzing and sanitisers for native code, manual review for high-risk components.
  • Decide the CWE baseline: current-year Top 25 as a minimum, optionally extended with 'On the Cusp' entries and organisation-specific weaknesses from past incidents.
  • State exclusions with justification (e.g. a weakness class marked Not Applicable because the technology cannot exhibit it), and record residual-risk acceptance owners.
  • Fix the assessment period and the CVE/CWE list version, since the Top 25 changes annually.

7. Implementation approach

Embedding CWE Top 25 assurance into an organisation is a programme, not a single scan. We recommend a five-phase approach. Each phase lists activities and the deliverables an auditor should expect.

Phase 1 — Baseline and gap analysis

  • Activities: inventory applications and stacks; run an initial SAST/SCA/secret-scan/DAST sweep; map existing findings to CWE-IDs; assess current SDLC practices against the master checklist; identify the highest-risk weakness classes per asset.
  • Deliverables: application and technology inventory; CWE-mapped current-state findings register; gap-analysis report; prioritised remediation backlog; scoping and applicability statement.

Phase 2 — Guardrails and secure-development foundation

  • Activities: adopt secure coding standards mapped to the Top 25; introduce or configure safe frameworks/libraries (parameterised DB access, auto-escaping templates, vetted auth/crypto libraries); enable compiler hardening and sanitisers for native code; establish a secrets-management solution; roll out developer secure-coding training.
  • Deliverables: secure-coding standard document; approved libraries/frameworks list; compiler-hardening configuration; secrets-vault integration; training curriculum and initial completion records.

Phase 3 — Pipeline integration and gating

  • Activities: integrate SAST, DAST, SCA and secret scanning into CI/CD; define severity thresholds that fail builds; wire findings into the issue tracker keyed by CWE-ID; add PR security-review checklists; introduce fuzzing for critical native components.
  • Deliverables: CI/CD pipeline configuration; gating policy; CWE-tagged vulnerability tracking; PR checklist templates; fuzzing harnesses and coverage reports.

Phase 4 — Remediation and hardening

  • Activities: remediate the prioritised backlog starting with highest score (frequency x severity); apply 'monster mitigations' that eliminate whole weakness classes (e.g. move to memory-safe languages, adopt ORM everywhere, enforce output encoding globally, deny-by-default authorisation); retest and confirm closure.
  • Deliverables: remediation evidence per finding; before/after scan results; architecture-decision records for class-level eliminations; residual-risk register with acceptance sign-off.

Phase 5 — Continuous assurance and governance

  • Activities: schedule periodic re-assessment against each year's refreshed Top 25; track KPIs and weakness trends; run threat modelling on changes; conduct annual penetration tests; feed incident and bug-bounty findings back into standards and training.
  • Deliverables: recurring assessment reports; KPI dashboard; updated threat models; pentest reports; governance/steering minutes; annual programme review.

8. Maturity / capability model

To measure programme maturity we use a five-level capability model. Assessors rate the organisation per weakness family and overall, then track improvement over time. The model draws on the spirit of CMMI, OWASP SAMM and NIST SSDF.

LevelNameCharacteristicsIllustrative evidence
0AbsentNo awareness of CWE weakness classes; no secure-coding standard; ad-hoc or no testingNo SAST/DAST; findings not classified
1InitialReactive fixing of individual bugs; some scanning but no CWE mapping or gatingOccasional scan reports; no SLAs
2ManagedSecure-coding standard exists; SAST/SCA in CI; findings mapped to CWE with remediation SLAsCWE-tagged register; training records
3DefinedConsistent guardrails (safe libraries), gated pipelines, threat modelling and PR security review across teamsPipeline gating policy; threat models; PR checklists
4Quantitatively managedMetrics-driven: weakness density, escape rate and MTTR tracked and trending down; class-level eliminations deliveredKPI dashboards; trend analysis; ADRs eliminating classes
5OptimisingContinuous improvement; memory-safe-by-default; bug-bounty and incident feedback loops; assurance embedded and auditedBug-bounty data; annual review; near-zero recurrence of top classes

9. Assessment and audit approach

An auditor-grade assessment against the CWE Top 25 follows a repeatable methodology that blends documentation review, tooling corroboration and manual verification.

  1. Confirm scope and applicability: agree the asset list, technology stacks, in-scope weakness classes and the Top 25 version/year to be used.
  2. Review documentation: secure-coding standards, threat models, SDLC policies, prior scan reports and the vulnerability register keyed by CWE.
  3. Corroborate with tooling: obtain or re-run SAST, DAST, SCA and secret-scan results; verify they cover the codebase and that gating is enforced, not merely configured.
  4. Perform manual verification: sample high-risk code paths for each weakness family (injection sinks, memory operations, auth/authz checks, deserialisation) and inspect actual mitigations.
  5. Conduct or review penetration testing: validate exploitability of representative weaknesses (XSS, SQLi, IDOR/authz, SSRF, path traversal, CSRF) with proof-of-concept where safe.
  6. Assess process effectiveness: check remediation SLAs, ageing, escape rate and that CI gating actually blocks high-severity findings.
  7. Rate maturity per weakness family using the capability model and record status against every master-checklist row.
  8. Report findings by CWE-ID with severity, evidence, root cause and remediation guidance; distinguish design flaws from implementation bugs.
  9. Agree a remediation plan with owners and dates; define re-test criteria.
  10. Schedule re-assessment aligned to the annually refreshed Top 25 and to major releases.

10. Evidence request list

The following categorised artefacts should be requested at the outset of an assessment. Availability and quality of this evidence is itself a maturity signal.

  • Governance and policy: secure-coding standard mapped to the Top 25; SDLC/SSDLC policy; vulnerability-management and remediation-SLA policy; secrets-management policy.
  • Architecture and design: threat models and data-flow diagrams; architecture-decision records; access-control (RBAC/ABAC) model; data-classification register.
  • Tooling outputs: latest SAST, DAST, SCA and secret-scanning reports; fuzzing and sanitiser (ASAN/UBSAN/Valgrind) results; CI/CD pipeline configuration showing gating.
  • Vulnerability management: CWE-tagged vulnerability register; ageing/MTTR reports; remediation evidence and re-test results; residual-risk acceptance records.
  • Code and configuration: samples of parameterised queries, output encoding, authorisation checks, input validation, deserialisation handling; compiler-hardening flags; CSP/SameSite/CORS headers.
  • Supply chain: SBOMs; approved-libraries list; dependency-patch cadence evidence.
  • People and process: developer secure-coding training records; PR security-review checklists and sampled reviews; penetration-test reports; bug-bounty/incident records feeding back into standards.

11. Roles and responsibilities

RolePrimary responsibilitiesAccountable for
CISO / Head of SecurityOwns the programme, sets risk appetite and severity thresholds, reports to the boardOverall weakness-reduction posture
Application Security Lead / ArchitectMaintains secure-coding standard, tooling and gating; adjudicates findings; runs threat modellingEffectiveness of guardrails and gates
Development leads / engineersWrite and review code to eliminate Top 25 weaknesses; remediate findings within SLASecure implementation and remediation
DevSecOps / Platform teamIntegrates and maintains SAST/DAST/SCA/secret scanning and fuzzing in CI/CDPipeline coverage and reliability
QA / Test engineeringBuilds negative and abuse-case tests; validates fixesTest coverage of weakness classes
Penetration testers / red teamIndependently validate exploitability of weaknessesAssurance of real-world resistance
Product ownersPrioritise security work in the backlog; accept residual risk with sign-offRisk-informed delivery decisions
Internal audit / QSA / assessorIndependently assesses conformance and evidence qualityObjective assurance opinion

12. KPIs to track

  • Weakness density: number of Top 25 findings per 1,000 lines of code or per application, trended over releases.
  • Coverage: percentage of repositories/services under SAST, DAST, SCA and secret scanning.
  • Gating efficacy: percentage of builds correctly blocked on high-severity CWE findings.
  • Mean time to remediate (MTTR) by severity, and percentage of findings remediated within SLA.
  • Escape rate: proportion of Top 25 weaknesses found in production or by external testers versus caught pre-release.
  • Recurrence rate: reappearance of the same CWE class after a class-level mitigation.
  • Class-elimination progress: number of Top 25 classes designed out (e.g. no raw SQL anywhere, memory-safe language adoption percentage).
  • Training coverage: percentage of developers current on secure-coding training and their assessment scores.
  • Dependency hygiene: mean age of known-vulnerable dependencies and patch cadence.
  • Maturity score per weakness family from the capability model, trended over time.

13. Readiness checklist

  • Software and technology inventory complete, with stacks classified for weakness applicability.
  • Secure-coding standard mapped to the current-year CWE Top 25 published and adopted.
  • SAST, DAST, SCA and secret scanning integrated into CI/CD with enforced severity gating.
  • Findings tracked by CWE-ID with defined remediation SLAs and ageing reports.
  • Parameterised database access, context-aware output encoding and CSP enforced across web/API tiers.
  • Server-side, allow-list input validation applied at every entry point.
  • Deny-by-default authorisation and object-level access checks verified (no IDOR).
  • Authentication uses vetted protocols with MFA; no hard-coded credentials (secret scan clean).
  • SSRF, path traversal and unrestricted-upload protections implemented and tested.
  • Unsafe deserialisation avoided or constrained by type allow-lists and integrity checks.
  • Memory-safety controls (bounds checks, sanitisers, hardening, safe languages) in place for native code.
  • Threat modelling performed for new and changed features and mapped to CWE classes.
  • Developers trained on the Top 25; PR security-review checklist in use.
  • SBOM produced and dependencies monitored for relevant CVEs.
  • Independent penetration test and re-assessment scheduled against each annual Top 25 refresh.

14. Common gaps

  • Client-side-only validation, leaving server endpoints exposed to CWE-20 and injection weaknesses.
  • Parameterised queries used in most places but bypassed for 'dynamic' reporting or search, reintroducing CWE-89.
  • Output encoding applied inconsistently across contexts, so CWE-79 XSS persists in JS/attribute/URL sinks.
  • Authorisation checks present at the UI/route level but missing at the object level, causing CWE-862/863 IDOR.
  • Secrets removed from code but still present in CI logs, container images or history, defeating CWE-798 controls.
  • SSRF (CWE-918) overlooked in features that fetch remote resources (webhooks, previews, image proxies).
  • Memory-safety tooling (ASAN/fuzzing) configured but not run continuously, so CWE-787/125/416 regress.
  • Scans run but not gated, so findings accumulate without enforced remediation.
  • Findings not mapped to CWE-IDs, preventing trend analysis and class-level elimination.
  • Deserialisation of untrusted data (CWE-502) hidden inside third-party libraries and frameworks, unnoticed by manual review.
  • Programme frozen against an old Top 25, missing newly risen weaknesses in the current year's list.
  • Prototype pollution (CWE-1321) and other ecosystem-specific weaknesses ignored because tooling defaults do not detect them.

15. CWE Top 25 mapped to other frameworks

The Top 25 dovetails with prescriptive standards. The table shows how key weaknesses and the programme as a whole align with widely used frameworks, enabling a single body of evidence to satisfy multiple requirements.

Framework / standardHow it relates to the CWE Top 25Example linkage
OWASP Top 10Each OWASP category aggregates multiple CWEs; near-direct overlap for web weaknessesA03 Injection maps to CWE-79/89/78/94; A01 Broken Access Control to CWE-862/863/22/918
OWASP ASVSProvides testable requirements that mitigate specific CWEsV5 Validation/Encoding addresses CWE-20/79/89; V4 Access Control addresses CWE-862/863
NIST SP 800-218 (SSDF)Practices PW.4-PW.8 call for weakness reduction; CWE is the weakness taxonomyPW.5/PW.7/PW.8 evidenced by CWE-mapped SAST/DAST and code review
PCI DSS v4.0Requirement 6 mandates secure coding against common weaknesses6.2.4 lists injection, XSS, access-control and other CWE-class weaknesses
ISO/IEC 27001 / 27002Annex A control 8.28 (secure coding) and 8.29 (security testing)CWE-based standards and testing evidence support 8.25-8.29
ISO/IEC 5055 (CISQ)Measures software quality including security weaknesses drawn from CWESecurity measure enumerates a set of CWEs overlapping the Top 25
MITRE ATT&CKWeaknesses enable techniques; CWE provides the root cause behind exploited accessExploitation-of-public-facing-application (T1190) often via CWE-89/79/502
IEC 62443 (OT/ICS)Secure-development lifecycle requirements expect weakness eliminationSR/CR requirements evidenced by CWE-mapped SDLC controls
CERT Secure Coding StandardsRule violations correspond to CWE weaknessesNumerous CERT C/Java rules map directly to CWE-787/190/476/89

16. How CyberSigma helps

How CyberSigma helps
CyberSigma operationalises the CWE Top 25 end-to-end. Our CERT-In empanelled and QSA-led application-security practice runs a data-driven baseline that maps every finding to its CWE-ID, integrates and tunes SAST, DAST, SCA, secret scanning and fuzzing into your CI/CD with enforced gating, and delivers secure-coding standards, threat modelling and developer training aligned to the current year's Top 25. We drive class-level eliminations (parameterised data access, global output encoding, deny-by-default authorisation, memory-safe adoption), validate resistance through targeted penetration testing, and measure progress with weakness-density, MTTR and escape-rate KPIs. Because our evidence is CWE-mapped, the same programme simultaneously supports OWASP ASVS, NIST SSDF, PCI DSS 6.2.4, ISO/IEC 27001 and IEC 62443. Talk to CyberSigma to move from ad-hoc bug-fixing to a measurable, audit-ready weakness-reduction programme.
Free 1-minute check
Free Security Assessment
Get a complimentary, no-obligation assessment from CERT-In empanelled senior auditors.
Try it free →

Frequently asked questions

What is the difference between CWE Top 25 and OWASP Top 10?
OWASP Top 10 covers broad web application risk categories; the CWE Top 25 is a ranked list of specific software weaknesses across all software types. They overlap but serve different purposes.
What is a CWE?
A Common Weakness Enumeration is a community-standard identifier for a type of software or hardware weakness (e.g., CWE-79 is Cross-site Scripting).

Need help with SANS / CWE?

CERT-In empanelled, PCI QSA senior auditors can take you from reading about it to compliant — with a scoped, guided programme.