CISA Releases List of 25 Most Dangerous Software Weaknesses for 2024
The U.S. Cybersecurity and Infrastructure Security Agency and the Homeland Security Systems Engineering and Development Institute collaborated on a list of the most critically exploited weaknesses.
The US Cybersecurity and Infrastructure Security Agency (CISA) and the Homeland Security Systems Engineering and Development Institute, managed by MITRE, published the CWE 2024 list of the 25 most dangerous software weaknesses overnight, and although Although it may be a dry read, it could very well be an important read for developers.
The list captures the weaknesses most commonly exploited by malicious actors to steal data, disrupt services, and compromise systems and networks.
“Organizations are strongly encouraged to review this list and use it to inform their software security strategies,” CISA said in an advisory.
“Prioritizing these weaknesses in development and procurement processes helps avoid vulnerabilities at the core of the software lifecycle. »
The list was compiled this year using a new methodology, so there was a lot of movement in the list. The year’s list was compiled using 31,770 CVE records to create a list of 9,000 CVE records created by 275 different CVE numbering authorities. A scoring formula was then used combining the frequency of exploitation of a weakness and its average severity.
For this reason, only three weaknesses retained their ranking, and two new weaknesses – uncontrolled resource consumption and exposure of sensitive information to an unauthorized actor – were added.
Anyway, here’s the list, which is basically a list of what not to do for software developers.
-
Incorrect neutralization of inputs when generating web pages (“Cross-site scripting”)
Rank last year: 2 -
Writing out of bounds
Rank last year: 1 -
Incorrect neutralization of special elements used in an SQL command (“SQL injection”)
Ranking last year: 3 -
Cross-site request forgery (CSRF)
Rank last year: 9 -
Incorrect limitation of a path to a restricted directory (“Path traversal”)
Ranking last year: 8 -
Reading out of bounds
Rank last year: 7 -
Improperly overriding special elements used in an operating system command (“OS command injection”)
Rank last year: 5 -
Use after for free
Rank last year: 4 -
Missing authorization
Ranking last year: 11 -
Unrestricted downloading of files of dangerous type
Rank last year: 10 -
Poor control of code generation (“code injection”)
Rank last year: 23 -
Incorrect input validation
Ranking last year: 6 -
Incorrect neutralization of special elements used in a command (“command injection”)
Rank last year: 16 -
Incorrect authentication
Rank last year: 13 -
Poor privilege management
Rank last year: 22 -
Deserialization of untrusted data
Ranking last year: 15 -
Exposure of sensitive information to an unauthorized actor
Rank last year: 30 -
Incorrect authorization
Rank last year: 24 -
Server-side request forgery (SSRF)
Rank last year: 19 -
Improper restriction of operations within the bounds of a buffer
Rank last year: 17 -
NULL pointer dereference
Ranking last year: 12 -
Using hardcoded credentials
Rank last year: 18 -
Integer overflow or looping
Rank last year: 14 -
Uncontrolled consumption of resources
Rank last year: 37 -
Missing authentication for a critical function
Rank last year: 20
For more details on the top 25 and its methodology, click here.