CISA releases list of top 25 most dangerous software weaknesses for 2024

CISA Releases List of 25 Most Dangerous Software Weaknesses for 2024

CISA Releases List of 25 Most Dangerous Software Weaknesses for 2024

The U.S. Cybersecurity and Infrastructure Security Agency and the Homeland Security Systems Engineering and Development Institute collaborated on a list of the most critically exploited weaknesses.

The US Cybersecurity and Infrastructure Security Agency (CISA) and the Homeland Security Systems Engineering and Development Institute, managed by MITRE, published the CWE 2024 list of the 25 most dangerous software weaknesses overnight, and although Although it may be a dry read, it could very well be an important read for developers.

The list captures the weaknesses most commonly exploited by malicious actors to steal data, disrupt services, and compromise systems and networks.

“Organizations are strongly encouraged to review this list and use it to inform their software security strategies,” CISA said in an advisory.

“Prioritizing these weaknesses in development and procurement processes helps avoid vulnerabilities at the core of the software lifecycle. »

The list was compiled this year using a new methodology, so there was a lot of movement in the list. The year’s list was compiled using 31,770 CVE records to create a list of 9,000 CVE records created by 275 different CVE numbering authorities. A scoring formula was then used combining the frequency of exploitation of a weakness and its average severity.

For this reason, only three weaknesses retained their ranking, and two new weaknesses – uncontrolled resource consumption and exposure of sensitive information to an unauthorized actor – were added.

Anyway, here’s the list, which is basically a list of what not to do for software developers.

  1. Incorrect neutralization of inputs when generating web pages (“Cross-site scripting”)
    Rank last year: 2

  2. Writing out of bounds
    Rank last year: 1

  3. Incorrect neutralization of special elements used in an SQL command (“SQL injection”)
    Ranking last year: 3

  4. Cross-site request forgery (CSRF)
    Rank last year: 9

  5. Incorrect limitation of a path to a restricted directory (“Path traversal”)
    Ranking last year: 8

  6. Reading out of bounds
    Rank last year: 7

  7. Improperly overriding special elements used in an operating system command (“OS command injection”)
    Rank last year: 5

  8. Use after for free
    Rank last year: 4

  9. Missing authorization
    Ranking last year: 11

  10. Unrestricted downloading of files of dangerous type
    Rank last year: 10

  11. Poor control of code generation (“code injection”)
    Rank last year: 23

  12. Incorrect input validation
    Ranking last year: 6

  13. Incorrect neutralization of special elements used in a command (“command injection”)
    Rank last year: 16

  14. Incorrect authentication
    Rank last year: 13

  15. Poor privilege management
    Rank last year: 22

  16. Deserialization of untrusted data
    Ranking last year: 15

  17. Exposure of sensitive information to an unauthorized actor
    Rank last year: 30

  18. Incorrect authorization
    Rank last year: 24

  19. Server-side request forgery (SSRF)
    Rank last year: 19

  20. Improper restriction of operations within the bounds of a buffer
    Rank last year: 17

  21. NULL pointer dereference
    Ranking last year: 12

  22. Using hardcoded credentials
    Rank last year: 18

  23. Integer overflow or looping
    Rank last year: 14

  24. Uncontrolled consumption of resources
    Rank last year: 37

  25. Missing authentication for a critical function
    Rank last year: 20

For more details on the top 25 and its methodology, click here.

Reddit is letting power users participate in its IPO. Not everyone buys

Reddit is letting power users participate in its IPO. Not everyone buys

Air Canada must respect a refund policy invented by its chatbot

Air Canada must respect a refund policy invented by its chatbot

Leave a Reply

Your email address will not be published. Required fields are marked *