Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

9/17/2019
05:15 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

MITRE Releases 2019 List of Top 25 Software Weaknesses

The list includes the most frequent and critical weaknesses that can lead to serious software vulnerabilities.

MITRE today published a draft of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Errors, a list of the most widespread and critical weaknesses that could lead to severe software vulnerabilities, as the organization explained a release on the news.

Attackers can often exploit these vulnerabilities to assume control over an affected system, steal sensitive data, or cause a denial-of-service condition, the Cybersecurity and Infrastructure Security Agency (CISA) said in an advisory on the list. Users and admins are encouraged to review both the list and recommended mitigations that MITRE advises them to implement. 

The Top 25 is a community resource for software developers, testers, customers, project managers, security researchers, and educators exploring common threats in software. This year, the team took a new approach to generating the list. The methodology involved pulling CVE-related data from within the US National Vulnerability Database (NVD) and accounting for frequency and average Common Vulnerability Scoring System (CVSS) score to determine rank. A scoring formula was used to assess the level of frequency and danger each weakness presents.

This list historically has been compiled by gathering survey responses from a broad group of organizations and by collecting feedback from security analysts, researchers, and developers. Industry pros were asked to nominate weaknesses they considered to be the most widespread or important; a customized part of the CVSS was used to decide on the ranking of each weakness.

"There were a number of positives in this approach, but it was also labor-intensive and subjective," MITRE says. The 2019 list involves a more rigorous and statistical process; instead, it leverages data about reported vulnerabilities to gauge the dangerousness of each weakness.

"We wanted to go with a methodology that was more objective and based on what we're seeing in the real world," says Drew Buttner, MITRE software assurance lead. The 2019 Top 25 includes flaws from 2017 and 2018 and reflects efforts by the CWE team to correct several thousand mismapped CVE entries. MITRE plans to evaluate mappings throughout the coming year for its upcoming 2020 list. This year's Top 25 is the first release of the list since 2011, Buttner points out, but MITRE's goal going forward is to release a new list for each year.

2019's Top Weaknesses
There were no surprises in this year's Top 25, agree Buttner and Chris Levendis, MITRE CWE project leader. "A lot of the top weaknesses continue to be in the list, and we continue to see them even as 10 years have passed," Buttner notes. While weaknesses toward the end of the list have fallen out in favor of new ones, the top weaknesses generally remain the same.

The highest-ranking weakness, with a score of 75.56, is CWE-119, buffer overflow or "Improper Restriction of Operations within the Bounds of a Memory Buffer." Some languages allow direct addressing of memory locations and don't automatically ensure locations are valid for the memory buffer being referenced. This can cause read or write operations to be performed on memory locations linked to data structures or internal program data. An attacker could execute malicious code, change the control flow, read sensitive data, or crash the system.

Buttner and Levendis anticipated buffer overflow would be near top of the list, as it was also near the top in 2011 and it's a well-known weakness throughout the industry.

Next-highest is CWE-79, "Improper Neutralization of Input During Web Page Generation" or cross-site scripting, with a score of 45.69. Software doesn't neutralize, or incorrectly neutralizes, user-controllable input before it's placed in output later used as a web page served to other users. Untrusted data may enter a web app and ultimately execute malicious script.

Number three is CWE-20, or Improper Input Validation, which exists when software doesn't validate or improperly validates input that can affect a program's control flow or data flow. An attacker can write input not expected by the application. This can lead to parts of the system receiving unexpected input, which may cause arbitrary code execution or altered control flow.

Software users can use the Top 25 list to gauge the security practices of the companies they're buying software from before they invest, Levendis says. Those using open source can better learn whether developers are paying attention to those weaknesses, and developers can use the list as a "priority cheat sheet" consisting of weaknesses they should be keeping an eye on.

He adds: "At the most fundamental level, that's what you can use the weaknesses for if you're a consumer of software."

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "How a PIA Can CYA."

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance & Technology, where she covered financial ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/27/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-27885
PUBLISHED: 2020-10-29
Cross-Site Scripting (XSS) vulnerability on WSO2 API Manager 3.1.0. By exploiting a Cross-site scripting vulnerability the attacker can hijack a logged-in user’s session by stealing cookies which means that a malicious hacker can change the logged-in user’s pass...
CVE-2020-25646
PUBLISHED: 2020-10-29
A flaw was found in Ansible Collection community.crypto. openssl_privatekey_info exposes private key in logs. This directly impacts confidentiality
CVE-2020-26205
PUBLISHED: 2020-10-29
Sal is a multi-tenanted reporting dashboard for Munki with the ability to display information from Facter. In Sal through version 4.1.6 there is an XSS vulnerability on the machine_list view.
CVE-2020-14323
PUBLISHED: 2020-10-29
A null pointer dereference flaw was found in samba's Winbind service in versions before 4.11.15, before 4.12.9 and before 4.13.1. A local user could use this flaw to crash the winbind service causing denial of service.
CVE-2020-27886
PUBLISHED: 2020-10-29
An issue was discovered in EyesOfNetwork eonweb 5.3-7 through 5.3-8. The eonweb web interface is prone to a SQL injection, allowing an unauthenticated attacker to exploit the username_available function of the includes/functions.php file (which is called by login.php).