CISA publishes list of 25 most dangerous software weaknesses by 2024
The U.S. Cybersecurity and Infrastructure Security Agency and the National Security Systems Engineering and Development Institute collaborated on a list of the most exploited weaknesses.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the National Security Systems Engineering and Development Institute, operated by MITER, published the list of the 25 most dangerous software weaknesses overnight of CWE 2024, and while it may be a tedious read, it could be very important reading for developers.
The list summarizes the weaknesses most commonly exploited by threat actors to steal data, disrupt services, and compromise systems and networks.
“Organizations are strongly encouraged to review this list and use it to inform their software security strategies,” CISA said in an advisory.
“Prioritizing these weaknesses in the development and procurement processes helps prevent vulnerabilities at the core of the software lifecycle.”
The list was compiled using a new methodology this year, so there has been quite a bit of movement on the list. The year’s list was compiled using 31,770 CVE records to create a list within the scope of 9,000 CVE records created by 275 different CVE numbering authorities. A scoring formula was then used that combined the frequency of exploitation of a weakness and its average severity.
Because of this, only three weaknesses maintained their classification and two new weaknesses were added: uncontrolled resource consumption and exposure of sensitive information to an unauthorized actor.
Anyway, here’s the list, which is basically a list of what software developers should not do.
-
Improper neutralization of input during web page generation (“Cross-site scripting”)
Ranking last year: 2 -
Writing out of bounds
Ranking last year: 1 -
Improper neutralization of special elements used in a SQL command (“SQL injection”)
Ranking last year: 3 -
Cross Site Request Forgery (CSRF)
Ranking last year: 9 -
Improper limiting a path name to a restricted directory (“path traversal”)
Ranking last year: 8 -
Reading out of limits
Ranking last year: 7 -
Improper neutralization of special elements used in an operating system command (‘OS command injection’)
Ranking last year: 5 -
Use later free
Ranking last year: 4 -
Missing authorization
Ranking last year: 11 -
Unrestricted upload of files with dangerous types
Ranking last year: 10 -
Inadequate control of code generation (‘Code injection’)
Ranking last year: 23 -
Incorrect input validation
Ranking last year: 6 -
Improper neutralization of special elements used in a command (‘Command injection’)
Ranking last year: 16 -
Incorrect authentication
Ranking last year: 13 -
Improper privilege management
Ranking last year: 22 -
Deserialization of untrusted data
Ranking last year: 15 -
Exposure of sensitive information to an unauthorized actor
Ranking last year: 30 -
Incorrect authorization
Ranking last year: 24 -
Server Side Request Forgery (SSRF)
Ranking last year: 19 -
Inappropriate restriction of operations within the boundaries of a memory buffer
Ranking last year: 17 -
NULL pointer dereference
Ranking last year: 12 -
Using encrypted credentials
Ranking last year: 18 -
Integer Overflow or Wrapping
Ranking last year: 14 -
Uncontrolled consumption of resources
Ranking last year: 37 -
Authentication missing for critical function
Ranking last year: 20
For more details on the top 25 and its methodology, click here.