The Common Weakness Enumeration organization has gathered a list of the 25 most dangerous software errors, consisting of the most widespread and critical weaknesses and vulnerabilities in software.
In a prevalent number of cases, these weaknesses are easy to find and exploit, the researchers say, and could lead to various outcomes.
“The CWE Top 25 is a community resource that can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry,” the creators of the list noted.
How was the list of 25 most dangerous software weaknesses created
The researchers used a data-driven approach utilizing the data published by the CVE (Common Vulnerabilities and Exposures) organizations, as well as related CWE mappings taken from the NIST (National Institute of Standards and Technology). To determine the prevalence and danger of each weakness, a specific formula was used:
The 2019 CWE Top 25 was developed by obtaining published CVE vulnerability data found within the NVD [National Vulnerability Database]. The NVD obtains vulnerability data from CVE and then supplements this data with additional analysis and data to provide more information about vulnerabilities. In addition to providing the underlying weakness for each vulnerability, the NVD provides a CVSS score, which is a numerical score representing the potential severity of a vulnerability based upon a standardized set of characteristics about the vulnerability. NVD provides this information in a digestible format that helps drive the data driven approach in creating the CWE Top 25.
This formula is an objective approach towards vulnerabilities and their impact in the wild, and it also creates a strong basis on publicly reported vulnerabilities.
Without further ado, here is the list of the top 25 most dangerous weaknesses in software:
[1] CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
[2] CWE-79
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
[3] CWE-20
Improper Input Validation
[4] CWE-200
Information Exposure
[5] CWE-125
Out-of-bounds Read
[6] CWE-89
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 24.54
[7] CWE-416
Use After Free
[8] CWE-190
Integer Overflow or Wraparound
[9] CWE-352
Cross-Site Request Forgery (CSRF)
[10] CWE-22
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
[11] CWE-78
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
[12] CWE-787
Out-of-bounds Write
[13] CWE-287
Improper Authentication
[14] CWE-476
NULL Pointer Dereference
[15] CWE-732
Incorrect Permission Assignment for Critical Resource
[16] CWE-434
Unrestricted Upload of File with Dangerous Type
[17] CWE-611
Improper Restriction of XML External Entity Reference
[18] CWE-94
Improper Control of Generation of Code (‘Code Injection’)
[19] CWE-798
Use of Hard-coded Credentials
[20] CWE-400
Uncontrolled Resource Consumption
[21] CWE-772
Missing Release of Resource after Effective Lifetime
[22] CWE-426
Untrusted Search Path
[23] CWE-502
Deserialization of Untrusted Data
[24] CWE-269
Improper Privilege Management
[25] CWE-295
Improper Certificate Validation