DHS Updates Top 25 Most Dangerous Software Errors List for First Time in 8 Years

The U.S. Department of Homeland Security’s Homeland Security Systems Engineering and Development Institute (HSSEDI) has updated its list of the 25 most dangerous software vulnerabilities. This is the first time in the past 8 years that the list has been updated.

The Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors was first created in 2011. The list is an important tool for improving cybersecurity resiliency and is valuable to software developers, testers, customers, security researchers, and educators as it provides insights into the most prevalent and serious security threats in the software industry.

The list was originally compiled by analysts using a subjective approach for assessing vulnerabilities. Security researchers were interviewed, and industry experts were surveyed to find out which vulnerabilities were believed to be the most serious. HSSEDI, which is run by MITRE, used a different approach for assessing vulnerabilities: One that is based on real-world vulnerabilities that have been reported by security researchers.

“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world,” explained CWE project leader Chris Levendis. “We will continue to mature the methodology as we move forward.”

25,000 common software vulnerabilities and exposures detailed in the National Vulnerability Database over the past two years were assessed and ranked. The new approach takes the prevalence of flaws, their severity, potential for harm, and the likelihood of the flaws being exploited into account. While many serious vulnerabilities exist, if their impact is low or they are very rarely exploited, they were excluded from the list.

Prior to the update, Improper Neutralization of Special Elements used in an SQL Command (SQL injection) topped the list, but in the revised version it has fallen to position 6. The change in position does not reflect a change in the severity of SQL injection, as it still has the highest severity score (9.129 out of 10). The overall score is 24.54 out of 10, due to other factors such as prevalence and frequency of exploitation.

Top position now goes to Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119), which has a score of 75.56 out of 100 and a severity score of 8.045 out of 10. This is where software performs operations on a memory buffer but can read or write to memory outside of that memory buffer. That can allow operations to be performed on memory locations that are associated with other variables, data structures, or internal program data, which could lead to the remote execution of arbitrary code, alteration of information flow, or system crashes.

Second spot was taken by Improper Neutralization of Input During Web Page Generation (Cross-Site Scripting – CWE-79). The vulnerability has a relatively low severity score (5.778 out of 10), but its overall score was 45.69 out of 100 due to the high probability of exploitation, its prevalence in reports, and exploitation allowing attackers to run unauthorized code.

Third spot went to Improper Input Validation (CWE-20), which has an overall score of 43.61 out of 100. The high score is due to the high probability of exploitation and potential for harm. This vulnerability has a severity score of 7.242 out of 10 and can be exploited to cause denial of service attacks, execution of unauthorized code, and allows reading and modification of memory.

The updated list can be viewed on the MITRE website.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.