From smartphone games and personal email accounts to international banking and hospital records, software is everywhere. It entertains, boosts efficiency, and even saves lives. Unfortunately, for every new program developed, there is likely a hacker ready to disrupt and exploit it. That’s why it is vital for software designers, developers, and cybersecurity experts to keep apprised of potential weaknesses that could cause substantial damage to their computer systems.
The Common Weakness Enumeration (CWE) list of the 25 most dangerous software errors is a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in software. The Homeland Security Systems Engineering and Development Institute (HSSEDI), which is managed by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T) and is operated by MITRE, recently updated the top 25 CWE list for the first time in eight years.
“This list is an important tool for improving cybersecurity resiliency,” said Scott Randels, Director of S&T’s Federally-Funded Research and Development Centers, which manages HSSEDI. “I’m excited about our ongoing collaboration with HSSEDI and the vast mitigation potential of this product.”
HSSEDI provides specialized independent and objective expertise for addressing national homeland security needs in a number of vital areas, including information technology, communications, and cybersecurity.
In addition to being a useful guidance document, the 2019 CWE list is an important proof-of-concept. Back in 2011, analysts used a subjective approach, conducting personal interviews and surveys of industry experts to compile the list. And while that was an effective way to produce the top 25 list then, cybersecurity demands constant improvement. This time, analysts used a data-driven approach based on real-world vulnerabilities reported by security researchers.
“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world,” said CWE project leader Chris Levendis. “We will continue to mature the methodology as we move forward.”
The CWE team, which is sponsored b the Department of Homeland Security Cybersecurity and Infrastructure Security Agency's (CISA) Cybersecurity Division, leveraged approximately 25,000 Common Vulnerabilities and Exposures entries from the past two years. Common Vulnerabilities and Exposures data are submitted by volunteers around the world who have demonstrated mature vulnerability management practices and a commitment to cybersecurity.
Common Vulnerabilities and Exposures data are published in the National Vulnerability Database, which is a product of the National Institute of Standards and Technology’s Information Technology Laboratory and is also sponsored the CISA Cybersecurity Division. CISA requested HSSEDI take on the important task of updating the list.
The ranking system used to determine the top 25 most dangerous software errors was based on a formula that accounted for prevalence and severity. Weaknesses that are both common and can cause significant harm received a high score, while issues that are rarely exploited or have a low impact were filtered out.
As a result, the 2019 list identified a new top weakness: “Improper Restriction of Operations within the Bounds of a Memory Buffer.” The previous top weakness, “Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')” dropped down to the number six spot.
While terms like “SQL injection” may not be familiar to many, most Americans rely on software in their daily lives. The pervasive use of software on personal computing devices and by businesses makes the CWE top 25 list a vital resource that enhances resiliency of cyber systems.
“Eliminating weaknesses prior to software entering the marketplace is an important step in reducing the attack surface which better protects everybody, anywhere in the world,” said Levendis.