- In a first, the Common Weakness Enumeration (CWE) list outlining the 25 most dangerous software vulnerabilities has been updated after eight years to be relevant for the current times.
- The list has been compiled from the publicly reported vulnerabilities available in the National Vulnerabilities Database (NVD).
What were the updates?
The changes were made based on several criteria including severity, exploitation, and prevalence, among others.
- The first spot has been given to the ‘Improper Restriction of Operations within the Bounds of a Memory Buffer’ threat.
- This spot was earlier occupied by SQL injection which is now in the sixth position.
- Because SQL injection has the highest probability of exploitation and more impact, it has the highest average severity score, 9.129 out of 10.
- Cross-site scripting or Improper Neutralization of Input During Web Page Generation holds the second position in the list. This may be attributed to the high possibility of exploitation.
- The third position in the list is occupied by the ‘Improper input validation’ that has a severity score of 7.242 with high potential to cause damage and high exploitation chances.
Issues that are rarely exploited or don’t cause much harm have been left out of the list.
This list was updated by the Homeland Security Systems Engineering and Development Institute (HSSEDI).
- While in 2011, the list was compiled using a subjective approach, the updates are said to have been made using a data-driven approach based on reported real-world vulnerabilities.
- This list is intended to be a guidance document as well as proof-of-concept.
“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world. We will continue to mature the methodology as we move forward,” said Chris Levendis, CWE project leader.