The Common Weakness Enumeration organization has gathered a list of the 25 most dangerous software errors, consisting of the most widespread and critical weaknesses and vulnerabilities in software.
In a prevalent number of cases, these weaknesses are easy to find and exploit, the researchers say, and could lead to various outcomes.
“The CWE Top 25 is a community resource that can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry,” the creators of the list noted.
How was the list of 25 most dangerous software weaknesses created
The researchers used a data-driven approach utilizing the data published by the CVE (Common Vulnerabilities and Exposures) organizations, as well as related CWE mappings taken from the NIST (National Institute of Standards and Technology). To determine the prevalence and danger of each weakness, a specific formula was used:
The 2019 CWE Top 25 was developed by obtaining published CVE vulnerability data found within the NVD [National Vulnerability Database]. The NVD obtains vulnerability data from CVE and then supplements this data with additional analysis and data to provide more information about vulnerabilities. In addition to providing the underlying weakness for each vulnerability, the NVD provides a CVSS score, which is a numerical score representing the potential severity of a vulnerability based upon a standardized set of characteristics about the vulnerability. NVD provides this information in a digestible format that helps drive the data driven approach in creating the CWE Top 25.
This formula is an objective approach towards vulnerabilities and their impact in the wild, and it also creates a strong basis on publicly reported vulnerabilities.
Without further ado, here is the list of the top 25 most dangerous weaknesses in software:
Improper Restriction of Operations within the Bounds of a Memory Buffer
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)
Improper Input Validation
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 24.54
Use After Free
Integer Overflow or Wraparound
Cross-Site Request Forgery (CSRF)
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’)
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
NULL Pointer Dereference
Incorrect Permission Assignment for Critical Resource
Unrestricted Upload of File with Dangerous Type
Improper Restriction of XML External Entity Reference
Improper Control of Generation of Code (‘Code Injection’)
Use of Hard-coded Credentials
Uncontrolled Resource Consumption
Missing Release of Resource after Effective Lifetime
Untrusted Search Path
Deserialization of Untrusted Data
Improper Privilege Management
Improper Certificate Validation