The U.S. Department of Homeland Security’s Homeland Security Systems Engineering and Development Institute (HSSEDI) has released an up-to-date list of the 25 most dangerous software vulnerabilities. It’s been 8 years since the list was updated.
The creation of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Vulnerabilities was in 2011. This important list serves as a tool to improve cybersecurity resiliency and is useful to software developers, security researchers, testers, clients, and educators because it offers insights into the most common and dangerous security threats in the software market.
Analysts that initially compiled the list used a subjective technique, such as interviewing security researchers and surveying industry experts, to assess vulnerabilities. HSSEDI, under the management of MITRE, employed another approach based on real-world vulnerabilities that the security researchers reported to assess vulnerabilities. This method gives a more steady and repeatable analysis that shows the problems seen in the real world.
The National Vulnerability Database described 25,000 typical software vulnerabilities and problems in the last two years, which were evaluated and ranked. The new strategy takes into account the occurrence of vulnerabilities, their seriousness, likely damages, and the probability of exploiting the vulnerabilities. Although there are a lot of vulnerabilities, those that have a low impact or are hardly exploited were omitted from the list.
Before the update, on top of the list is Improper Neutralization of Special Elements used in an SQL Command (SQL injection). In the revised list, this vulnerability is only the top 6. The switch in position doesn’t mean the severity of SQL injection changed since it continues to have the highest severity score of 9.129. The total score is 24.54 of 10, because of other factors like occurrence and regularity of exploitation.
On number one position now is the Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119), with a score of 75.56/100 and a severity score of 8.045/10. This is the location in the software that executes operations on a memory buffer however could read or write to memory external of that memory buffer. That could permit operations to be carried out on memory locations which are linked to other variables, information structures, or internal program information that could result in the remote execution of arbitrary code, modification of data flow, or system failures.
On number two position is the Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting – CWE-79). The vulnerability score of 5.778/10 is relatively low severity, however, its total score was 45.69 / 100 because of the high chances of exploitation, its occurrence in reports, and exploitation enabling attackers to execute unauthorized code.
On number three is Improper Input Validation (CWE-20). This has an overall score of 43.61/100. It has a high score because of the high chances of exploitation and possible harm. This vulnerability’s severity score is 7.242/10 and could be exploited to result in the execution of unauthorized code, denial of service attacks, and reading or alteration of memory.
See the updated list on MITRE’s website.