MITRE, CISA, DHS Announce 25 Most Dangerous Software Errors
The Common Weakness Enumeration (CWE™) released its Top 25 Most Dangerous Software Errors (CWE Top 25), a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.
"These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working. The CWE Top 25 is a community resource that can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry," says CWE.
The CWE Top 25, including their score, are:
- Improper Restriction of Operations within the Bounds of a Memory Buffer - 75.56
- Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') - 45.69
- Improper Input Validation - 43.61
- Information Exposure - 32.12
- Out-of-bounds Read - 26.53
- Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') - 24.54
- Use After Free - 17.94
- Integer Overflow or Wraparound - 17.35
- Cross-Site Request Forgery (CSRF) - 15.54
- Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') - 14.10
- Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') - 11.47
- Out-of-bounds Write - 11.08
- Improper Authentication - 10.78
- NULL Pointer Dereference - 9.74
- Incorrect Permission Assignment for Critical Resource - 6.33
- Unrestricted Upload of File with Dangerous Type - 5.50
- Improper Restriction of XML External Entity Reference - 5.48
- Improper Control of Generation of Code ('Code Injection') - 5.36
- Use of Hard-coded Credentials - 5.12
- Uncontrolled Resource Consumption - 5.04
- Missing Release of Resource after Effective Lifetime - 5.04
- Untrusted Search Path - 4.40
- Deserialization of Untrusted Data - 4.30
- Improper Privilege Management - 4.23
- Improper Certificate Validation - 4.06
To create the list, the CWE Team used a data-driven approach that leverages published Common Vulnerabilities and Exposures (CVE®) data and related CWE mappings found within the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each of the CVEs. A scoring formula was then applied to determine the level of prevalence and danger each weakness presents. This data-driven approach can be used as a repeatable, scripted process to generate a CWE Top 25 list on a regular basis with minimal effort.
The CWE team, which is sponsored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Division, leveraged approximately 25,000 Common Vulnerabilities and Exposures entries from the past two years. Common Vulnerabilities and Exposures data are submitted by volunteers around the world who have demonstrated mature vulnerability management practices and a commitment to cybersecurity, says a DHS press release.
Common Vulnerabilities and Exposures data are published in the National Vulnerability Database, which is a product of the National Institute of Standards and Technology’s Information Technology Laboratory and is also sponsored the CISA Cybersecurity Division.