A new methodology has shaken up this year’s rankings of the most dangerous software bugs, but the classic persistent threats remain the biggest risk to organizations. This underscores the ongoing need for a focus on secure code.
The annual Common Weakness Enumeration (CWE) list, compiled by MITRE and the Cybersecurity and Infrastructure Agency (CISA), now includes both severity and frequency of flaws in its formula for the first time.
According to the methodology page, weaknesses that are both common and cause significant harm receive the highest scores on the list.
The top weaknesses on the 2024 CWE list this year include cross-site scripting, out-of-bounds write, SQL injection, CSRF, and path traversal.
Alec Summers, the project leader for the CVE Program at MITRE, highlights the presence of persistent weaknesses like CWE-79, CWE-89, and CWE-125 at the top of the list. He emphasizes the need for continued vigilance in addressing these vulnerabilities.
One unexpected change in this year’s rankings was CSRF rising from ninth place to fourth. Summers suggests this could be due to increased focus by researchers, improved detection, or heightened adversary interest in this type of vulnerability.
As software development processes become more complex and vulnerabilities continue to proliferate, organizations are urged to prioritize software security strategies. By addressing weaknesses proactively, organizations can reduce their risk exposure.
Shoring Up the Software Supply Chain Starts at Home
Efforts to enhance software security should extend throughout the supply chain, according to Summers.
Organizations are encouraged to adopt root cause mapping CVE with CWE for themselves and their suppliers. This approach can improve product security, save costs, and provide valuable feedback for future development.
In addition to a new methodology for assessing software flaws, 2024 saw the full community of CVE Numbering Authorities (CNAs) contributing to the CWE Program’s efforts. A total of 148 CNAs from 40 countries helped develop this year’s list.
For more information on CNAs, visit CVE.org.
