The US government has released a list of the most “common and influential” software weaknesses of the past two years.
The CWE Top 25 list was published by the Homeland Security Systems Engineering and Development Laboratory, sponsored by the Department of Homeland Security and operated by the non-profit MITER.
Read more from CWE: MITER Announces Most Dangerous Software Errors of 2019
Software weaknesses are errors, bugs, flaws, etc. that can lead to vulnerabilities. Unlike the Common Vulnerabilities and Exposures (CVE) system, which provides a number for each discovered vulnerability, the Common Weakness Enumeration (CWE) resembles a glossary of common vulnerability types. In other words, it refers to types of weaknesses in software rather than specific vulnerabilities.
Out-of-bounds writes top the newly published list, followed by cross-site scripting and SQL injection.
“The CWE Top 25 are calculated by analyzing National Vulnerability Data (NVD) public vulnerability data for a root cause mapping to CWE weaknesses over the past two calendar years. Attackers can often exploit these vulnerabilities to gain control of the affected system, steal data, or disrupt the operation of applications.” The Cybersecurity and Infrastructure Agency (CISA) explains.
“The 2023 CWE Top 25 also incorporates updated vulnerability data for recent CVE records in the dataset that is part of CISA’s Catalog of Known Exploited Vulnerabilities (KEV).”
CISA asked developers and product security teams to review the top 25 list and decide which of the recommended mitigations to adopt.
He explained that more articles will be published in the coming weeks, explaining how the top 25 are calculated, trends in vulnerability mapping, and more.
Other useful topics include unlisted weaknesses that are still worth noting, real-world CWE trends, CISA’s KEV-ranked list of CWEs, and more.
CWE is becoming increasingly important as developers and security teams try to avoid the root causes of vulnerabilities. In 2022, a record number (25,096) of his CVEs were published on his NVD. This was a 25% year-over-year increase and marked his sixth consecutive year of record high volumes of newly discovered vulnerabilities.
