Progress on CWE-20 (Improper Input Validation) and Upcoming Changes in CWE 4.1

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

Progress on CWE-20 (Improper Input Validation) and Upcoming Changes in CWE 4.1

Steven M Christey


As posted previously, in the upcoming release of CWE 4.1, we will be making some changes to CWE-20 (Improper Input Validation).

1. We’ve seen that there are too many mappings to CWE-20 within NVD. Unfortunately, much of this overuse will not be able to be solved by modifying CWE-20 itself. While our Top 25 remapping task is still going on, we are seeing a few patterns. In some cases, a CVE can only be mapped to CWE-20 because the CVE's description and references only mention "improper input validation" or something similar. In other cases, the original advisory explicitly maps to CWE-20, without additional details. We will need to engage with the original vendors and researchers to identify better solutions. Other times, a CVE has a weakness that is not covered within the CWE-1003 view (a subset of CWEs that is used by NVD analysts), and it gets mapped to CWE-20 almost by default. For example, there are many CVE entries related to GUI problems, but the associated CWE is not in view 1003 (CWE-451: User Interface (UI) Misrepresentation of Critical Information). Finally, there are other times when a better mapping could be found, e.g. when something is an output-encoding problem or explicitly related to incorrect filtering. We will share our findings with NIST and update view 1003 when we have a better sense of what should be changed. Modifications to view 1003 are planned for CWE 4.2, planned for simultaneous release with the 2020 Top 25, later this year.

2. New children for CWE-20 will be created around different kinds of validation, with a focus on simple data like strings, or more complex data with certain expectations for syntax. Kinds of validation to cover would include characteristics such as size or length, quantities, well-formedness, expected type, consistency between multiple related data elements, semantic validity, acceptable ranges of values, equivalence (e.g. case-insensitive operations), etc.  It is not clear whether these new children will impact NVD data very much, but hopefully it will be better for code analysis vendors and for educational purposes. These new children will be released in CWE 4.1.

3. CWE-20 itself will be modified to better emphasize that input validation is just one kind of "neutralization" (see CWE-707: Improper Neutralization).

4. Modifications to the CWE-1215 category will also be made.

Please note that the "meaning" of CWE-20 will not be changed. CWE cannot change individual entries that way, because it could invalidate existing mappings and make them inaccurate.

As always, we welcome any suggestions, and we hope that the upcoming changes to CWE-20 will spark useful public discussion and additional enhancements in later versions of CWE.

Thank you,

- Steve