Why it matters: Every year, the Homeland Security Systems Engineering and Development Institute releases a list for the most common weakness enumeration in software, which lead to the most abused software vulnerabilities. In 2023, the previous year's worst offenders still occupy the top spots on this list.
The latest alert from the US Cybersecurity & Infrastructure Security Agency (CISA), a Department of Homeland Security agency that deals with cybersecurity and critical infrastructure security, provides an update on the top 25 most dangerous security weaknesses in software products. The CWE Top 25 list is based on public data about software issues detected over the past two years, shedding light on the rather discouraging state of cybersecurity in the US.
According to the MITRE Corporation, speaking on behalf of CISA and DHS, the most common and impactful software weaknesses on the CWE Top 25 list are often easy to find and exploit. These issues can result in exploitable vulnerabilities, enabling attackers to take over systems, crash servers, steal data, or disrupt applications.
In 2023, the top spot for the worst CWE issue remains the same as last year: out-of-bounds writes (CWE-787). This kind of buffer overflow issue occurs when a software routine writes data outside the bounds of a buffer, overwriting adjacent memory locations. This can lead to data corruption, crashes, or code execution. Writing code in a memory-safe language like Rust can significantly mitigate the issue.
The second most frequently occurring software weaknesses on the CWE list is CWE-79, which are cross-site scripting (XSS) bugs related to improper sanitation of user input on the web. The third one, CWE-89, is associated with SQL Injection security flaws, another form of input sanitation failure. This year's CWE Top list is based on data from 43,996 CVE records of vulnerabilities discovered between 2021 and 2022.
The fourth place is occupied by Use After Free flaws (CW-416), which ranked seventh last year. This increasingly popular flaw relates to memory addresses that are still used after being freed, allowing attacker to exploit improper behavior and potentially crash an operating system or server, or execute malicious code remotely.
CWEs are becoming increasingly prevalent in discussions about vulnerability exposure, as the community tries to avoid the root causes of these issues and the security vulnerabilities they could generate. Beyond the CWE Top list, MITRE is expected to release a series of articles this summer detailing how this information can be used more effectively within the security community.