The US government has published a list of the most “common and impactful” software weaknesses of the past two years.
The CWE Top 25 list was announced by the Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by non-profit MITRE.
Read more on CWEs: MITRE Names 2019's Most Dangerous Software Errors
Software weaknesses are errors, bugs, flaws and more that can lead to vulnerabilities. Unlike the Common Vulnerabilities and Exposures (CVE) system, which provides a number for each discovered vulnerability, Common Weakness Enumeration (CWE) is more like a glossary of generic weakness types. In other words, it refers to types of software weakness rather than specific vulnerabilities.
Top of the newly published list is out-of-bounds write, followed by cross-site scripting and SQL injection.
“The CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working,” explained the US Cybersecurity and Infrastructure Agency (CISA).
“The 2023 CWE Top 25 also incorporates updated weakness data for recent CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog (KEV).”
CISA urged developers and product security teams to review the top 25 list and decide which of the recommended mitigations to adopt.
It explained that more articles will be published over the coming weeks to explain the methodology for calculating the top 25, vulnerability mapping trends and more.
Other useful topics will include weaknesses that didn’t make it into the list but are still worth looking out for, trends in real-world CWEs and a list of CWEs ranked by CISA’s KEV.
CWEs are becoming increasingly important as developers and security teams look to avoid the root causes that can become vulnerabilities. In 2022, a record number (25,096) of CVEs were published to the NVD. This was a 25% year-on-year increase and the sixth year in a row that the volume of newly discovered vulnerabilities hit an all-time high.