The MITRE Corporation has published a list of the most dangerous software errors and vulnerabilities. It has been 8 years since the last list was published in 2011.
The list contains the Top 25 Common Weakness Enumeration (CWE) software errors based on the risk they pose to organizations and what could possibly happen if the flaws are exploited. The top errors are easy to find, easy to exploit, and can potentially cause catastrophic data breaches and system failures.
In most cases, exploitation of the flaws could allow an attacker to take full control of a vulnerable device, access and steal sensitive data, or cause widespread, permanent damage to software or hardware.
In contrast to the 2011 list, which was compiled based on surveys and interviews with analysts and developers, MITRE based the list on real-world CVE vulnerabilities from 2017 and 2018 which are detailed in the National Vulnerability Database (NVD), of which there are more than 600 categories covering around 25,000 CVEs.
MITRE plans to release a new list every year, with each new report covering errors and vulnerabilities from that specific year to ensure the list remains current and relevant. This is now possible due to the change from the subjective approach used to create the previous list and the new, data-driven methodology. Using the previous methodology, there was no need to make any changes to the list each year.
MITRE researchers created a formula to determine the severity of each CWE and assigned each a score based on the frequency of a CWE being the root cause of a vulnerability and the projected severity of exploitation. The different methodology has seen major changes to the list and the inclusion of class-level vulnerabilities, which are the parent of many other vulnerabilities that were included in previous lists.
“For example, CWE-119 is the parent of CWE-120. While the latter was #3 in the 2011 list, it is not found on the 2019 list despite the former being the new #1,” explained the researchers. “Similarly, CWE-287 is #13 in 2019 but does not at appear in 2011. Looking closer however shows that CWE-287 is the parent of CWE-306 (#5 on the 2011 list), CWE-862 (#6 on the 2011 list), and CWE-863 (#15 on the 2011 list), none of which are found on the 2019 list.”
The list is intended to serve as a tool for different stakeholders to use to learn about the most preventable weaknesses to guide their remediation efforts.
Topping this year’s list is CWE-119 – Improper Restriction of Operations within the Bounds of a Memory Buffer which was assigned a score of 75.56, which made it the most dangerous vulnerability by some distance.
In second place, with a score of 45.69, is CWE-79 – Improper neutralization of input during web page generation, closely followed by CWE-20, Improper Input Validation (Cross-Site Scripting) with a score of 43.61.
The full list can be found on this link.