CISA publishes list of 25 most dangerous software weaknesses by 2024

CISA releases list of top 25 most dangerous software weaknesses for 2024

CISA publishes list of 25 most dangerous software weaknesses by 2024

The U.S. Cybersecurity and Infrastructure Security Agency and the National Security Systems Engineering and Development Institute collaborated on a list of the most exploited weaknesses.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Systems Engineering and Development Institute, operated by MITER, published the list of the 25 most dangerous software weaknesses overnight of CWE 2024, and while it may be a tedious read, it could be very important reading for developers.

The list summarizes the weaknesses most commonly exploited by threat actors to steal data, disrupt services, and compromise systems and networks.

“Organizations are strongly encouraged to review this list and use it to inform their software security strategies,” CISA said in an advisory.

“Prioritizing these weaknesses in the development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”

The list was compiled using a new methodology this year, so there has been quite a bit of movement on the list. The year’s list was compiled using 31,770 CVE records to create a list within the scope of 9,000 CVE records created by 275 different CVE numbering authorities. A scoring formula was then used that combined the frequency of exploitation of a weakness and its average severity.

Because of this, only three weaknesses maintained their classification and two new weaknesses were added: uncontrolled resource consumption and exposure of sensitive information to an unauthorized actor.

Anyway, here’s the list, which is basically a list of what software developers should not do.

  1. Improper neutralization of input during web page generation (“Cross-site scripting”)
    Ranking last year: 2

  2. Writing out of bounds
    Ranking last year: 1

  3. Improper neutralization of special elements used in a SQL command (“SQL injection”)
    Ranking last year: 3

  4. Cross Site Request Forgery (CSRF)
    Ranking last year: 9

  5. Improper limiting a path name to a restricted directory (“path traversal”)
    Ranking last year: 8

  6. Reading out of limits
    Ranking last year: 7

  7. Improper neutralization of special elements used in an operating system command (‘OS command injection’)
    Ranking last year: 5

  8. Use later free
    Ranking last year: 4

  9. Missing authorization
    Ranking last year: 11

  10. Unrestricted upload of files with dangerous types
    Ranking last year: 10

  11. Inadequate control of code generation (‘Code injection’)
    Ranking last year: 23

  12. Incorrect input validation
    Ranking last year: 6

  13. Improper neutralization of special elements used in a command (‘Command injection’)
    Ranking last year: 16

  14. Incorrect authentication
    Ranking last year: 13

  15. Improper privilege management
    Ranking last year: 22

  16. Deserialization of untrusted data
    Ranking last year: 15

  17. Exposure of sensitive information to an unauthorized actor
    Ranking last year: 30

  18. Incorrect authorization
    Ranking last year: 24

  19. Server Side Request Forgery (SSRF)
    Ranking last year: 19

  20. Inappropriate restriction of operations within the boundaries of a memory buffer
    Ranking last year: 17

  21. NULL pointer dereference
    Ranking last year: 12

  22. Using encrypted credentials
    Ranking last year: 18

  23. Integer Overflow or Wrapping
    Ranking last year: 14

  24. Uncontrolled consumption of resources
    Ranking last year: 37

  25. Authentication missing for critical function
    Ranking last year: 20

For more details on the top 25 and its methodology, click here.

Leave a Reply

Your email address will not be published. Required fields are marked *