iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
US Cybersecurity and Infrastructure Security Agency and Homeland Security Systems Engineering and Development Institute collaborated on a list of the most critically exploited weaknesses.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Homeland Security Systems Engineering and Development Institute, which is operated by MITRE, released the 2024 CWE Top 25 Most Dangerous Software Weaknesses list overnight, and while it may be dry reading, it could very well be important reading for developers.
The list tallies up the most commonly exploited weaknesses used by threat actors to steal data, disrupt services, and compromise systems and networks.
“Organisations are strongly encouraged to review this list and use it to inform their software security strategies,” CISA said in an advisory.
“Prioritising these weaknesses in development and procurement processes helps prevent vulnerabilities at the core of the software life cycle.”
The list was compiled using a new methodology this year, so there’s been quite a lot of movement in the list. The year’s list was compiled using 31,770 CVE records to create an in-scope list of 9,000 CVE records created by 275 different CVE numbering authorities. A scoring formula was then used that combined the frequency of exploitation of a weakness and its average severity.
Because of this, only three weaknesses retained their ranking, and two new weaknesses – uncontrolled resource consumption and exposure of sensitive information to an unauthorised actor – were added.
Anyway, here’s the list, which is basically a list of what not to do for software developers.
Improper neutralisation of input during web page generation (‘Cross-site scripting’)
Rank last year: 2
Out-of-bounds write
Rank last year: 1
Improper neutralisation of special elements used in an SQL command (‘SQL injection’)
Rank last year: 3
Cross-site request forgery (CSRF)
Rank last year: 9
Improper limitation of a pathname to a restricted directory (‘Path traversal’)
Rank last year: 8
Out-of-bounds read
Rank last year: 7
Improper neutralisation of special elements used in an OS command (‘OS command injection’)
Rank last year: 5
Use after free
Rank last year: 4
Missing authorisation
Rank last year: 11
Unrestricted upload of file with dangerous type
Rank last year: 10
Improper control of generation of code (‘Code injection’)
Rank last year: 23
Improper input validation
Rank last year: 6
Improper neutralisation of special elements used in a command (‘Command injection’)
Rank last year: 16
Improper authentication
Rank last year: 13
Improper privilege management
Rank last year: 22
Deserialisation of untrusted data
Rank last year: 15
Exposure of sensitive information to an unauthorised actor
Rank last year: 30
Incorrect authorisation
Rank last year: 24
Server-side request forgery (SSRF)
Rank last year: 19
Improper restriction of operations within the bounds of a memory buffer
Rank last year: 17
NULL pointer dereference
Rank last year: 12
Use of hard-coded credentials
Rank last year: 18
Integer overflow or wraparound
Rank last year: 14
Uncontrolled resource consumption
Rank last year: 37
Missing authentication for critical function
Rank last year: 20
For more details on the top 25 and its methodology, click here.
David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.
Be the first to hear the latest developments in the cyber industry.
