According to a recent report from MITER, cross-site scripting has been identified as the most critical software bug of the past year.
The latest from the nonprofit Top 25 Most Dangerous Weaknesses in Software The rankings were published on November 20. It addresses the most critical deficiencies mentioned in the list Common Weakness Enumeration (CWEs) Catalog. between June 2023 and June 2024.
CWEs, the root causes of vulnerabilities
CWE is a list of common software weaknesses or flaws in the code, design, or architecture that can lead to vulnerabilities. These in turn are listed in the Common Vulnerabilities and Exposures (CVE) database.
CWEs are the root causes of these vulnerabilities and “serve as a powerful guide to investments, policies and practices to prevent these vulnerabilities from occurring in the first place,” MITER said in a blog post accompanying the rankings.
“These are often easy to find and exploit and can lead to exploitable vulnerabilities that allow attackers to completely take over a system, steal data or prevent applications from functioning.”
To determine the criticality level of software weaknesses, MITER analyzed 31,770 CVEs reported in 2023 and 2024 for vulnerabilities that “would benefit from remapping analysis.”
MITER then assigned a score to each vulnerability based on the severity and frequency of in-the-wild exploits – with a focus on security flaws added to the US Cybersecurity and Infrastructure Security Agency’s Known Exploited Vulnerabilities (KEV) catalog ( CISA).
The most dangerous CWEs of 2024
This year, cross-site scripting, also known as ‘Improper Neutralization of Input During Web Page Generation’ (CWE-79), took first place, with a score of 56.92 and three associated known exploited vulnerabilities.
It replaced last year’s most dangerous CWE, ‘Out-of-bounds Write’ (CWE-787), which ranked second with 18 associated known exploited vulnerabilities, but a score of 45.20.
SQL Injection, also known as ‘Improper Neutralization of Special Elements used in an SQL Command’ (CWE-89), remains in third place, with a score of 35.88 and four associated known exploited vulnerabilities.
Strategic guide to making software investment decisions
MITER said the rankings are not only a valuable resource for developers and security professionals, but also serve as a strategic guide for organizations looking to make informed decisions around software investments, security and risk management.
“Organizations are strongly encouraged to review this list and use it to inform their software security strategies. Prioritizing these weaknesses in development and procurement processes will prevent vulnerabilities at the core of the software lifecycle,” the organization said.
The nonprofit works closely with CISA to implement the CVE and CWE programs.
CISA also regularly issues “Secure by Design” alerts to highlight the continued presence of well-documented and widely recognized vulnerabilities in software, despite the availability of effective solutions.
Read more: CISA’s Jack Cable discusses America’s push for more secure software
Leave a Reply