Although a new methodology shook up the rankings of this year’s most dangerous software bugs, the classic persistent threats still proved to be the biggest risk to organizations, reinforcing the need for continued focus on — and investment in — secure code.
The annual Common Weakness Enumeration (CWE) list is compiled by MITRE and the Cybersecurity and Infrastructure Agency (CISA). This year, for the first time, their formula included both severity and frequency of the flaws.
“Weaknesses that were rarely discovered will not receive a high frequency score, regardless of the typical consequence associated with any exploitation,” the list’s methodology page explained. “Weaknesses that are both common and caused significant harm will receive the highest scores.”
The year’s top weaknesses, according to the 2024 CWE list, was cross-site scripting (second last year), followed by out-of-bounds write (2023’s winner), SQL injection (also third last year), cross-site request forgery (CSRF) (ninth in 2023), and path traversal (eighth last year).
“While we see a bit of movement in rankings throughout the list for sure, we also continue to see the presence of the ‘usual suspects’ (e.g., CWE-79, CWE-89, CWE-125),” says Alec Summers, the project leader for the CVE Program at MITRE and one of the list’s authors. “It’s an ongoing concern that these and other stubborn weaknesses remain high on the Top 25 consistently.”
The only real curveball in this year’s rankings, he points out, was CRSF rising from the ninth spot last year to fourth in 2024. “This might reflect a greater emphasis on CSRF by vulnerability researchers or maybe there are improvements in CSRF detection, or maybe more adversaries are focusing on this kind of issue. We can’t be completely sure why it jumped the way it did,” Summers says.
As the software development life cycle (SDLC) and software supply chain become more labyrinthine every year, and everyday software flaws continue to proliferate, it’s increasingly important for organizations get a handle on their systems before everyday weaknesses become something more sinister, he recommends.
“Looking at the Top 25, organizations are strongly encouraged to review and leverage the list as a guiding resource for shaping their software security strategies,” Summers says. “By prioritizing them in both development and procurement processes, organizations can more proactively address risk.”
Shoring Up the Software Supply Chain Starts at Home
Those efforts likewise should extend across the software supple chain, Summers adds.
“It’s becoming more and more important for organizations to adopt and demand their suppliers adopt root cause mapping CVE with CWE,” he urges. “This encourages a valuable feedback loop into an organization’s SDLC and architecture design planning, which in addition to increasing product security can also save money: The more weaknesses avoided in your product development, the less vulnerabilities to manage after deployment.”
In addition to incorporating a new methodology for determining which software flaws posed the most risk, 2024 was the first year the full community of CVE Numbering Authorities (CNAs) contributed to the CWE Program’s effort. In total 148 CNAs helped develop this year’s list, according to the CWE Project. Currently there are 421 CNAs across 40 countries, according to CVE.org.
Source: www.darkreading.com