In an effort to help software developers and security researchers eliminate common software vulnerabilities, MITRE and the U.S. Department of Homeland Security (DHS) have released a list of the Top 25 most dangerous software errors. As DHS points out, this list of Common Weakness Enumeration (CWE) errors represents a comprehensive ranking of “frequent and critical errors that can lead to serious vulnerabilities in software.” The first Top 25 ranking list of software vulnerabilities appeared in 2011, but this is the first time that it has been updated in eight years.
Methodology used to find and rank software errors
A number of partners combined their resources in order to come up with this list of common software vulnerabilities. The Homeland Security Systems Engineering and Development Institute (HSSEDI), which is managed by the Department of Homeland Security and operated by MITRE, compiled the list of software vulnerabilities primarily based on information from the National Vulnerabilities Database, which is operated by the National Institute of Standards (NIST). Moreover, the CWE team has the sponsorship of the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). Thus, MITRE, CISA and DHS all announced the list of the Top 25 most dangerous software errors.
In the previous iteration of this “Top 25” list, the Department of Homeland Security and MITRE primarily relied on subjective information, in the form of interviews and surveys with top security researchers and software evaluators. However, in this updated version of the Top 25 list, the security researchers took much more of a data-driven approach to discover vulnerabilities in software. They were looking for actual incidents of real-world vulnerabilities, and that’s why they decided to focus their efforts on data from the National Vulnerabilities Database, which consists of over 25,000 common vulnerabilities and exposures that have been tracked by volunteers and white hat security researchers over the past two years.
In order to come up with a ranking of the most dangerous software vulnerabilities, the security researchers developed a ranking algorithm that ranked software vulnerabilities according to three primary factors: prevalence, severity and ability to cause harm. The highest-ranking software vulnerabilities, then, are those that are commonly found, severe in nature, and have the ability to deliver significant harm (such as crashing an IT system or exposing information to hackers).
Top software vulnerabilities
Among the software vulnerabilities highlighted by the DHS researchers, the clear No. 1 choice was “”Improper Restriction of Operations Within Bounds of a Memory Buffer.” This software error scored 75.56 out of a possible 100, due to both its prevalence and severity. The No. 2 software error on the list of software vulnerabilities was “Improper Neutralization of Input During Web Page Generation,” which scored 45.69 out of 100. The No. 3 software error on the list of software vulnerabilities was “Improper Input Validation,” which scored 43.61 out of 100.
What’s interesting to note is that the No. 1 software error of 2011 – “Improper Neutralization of Special Elements Used in an SQL command (“SQL Injection”)” – fell to No. 6 in this year’s ranking of the Top 25 most dangerous software vulnerabilities. According to the researchers, this is due to the fact that the prevalence and frequency of exploitation have dropped significantly. However, the severity factor (9.129 out of 10) is still quite high, which is why it is still among the most dangerous software vulnerabilities.
Roger A. Grimes, Data-Driven Defense Evangelist at KnowBe4, comments on the updated list of common software errors: “Seventy to ninety percent of all malicious compromises are due to social engineering and exploiting unpatched software is involved in 20% to 40%. You would think that all software developers would be getting better at developing code with less exploitable security vulnerabilities. Some are, but most are not. This shouldn’t be surprising because most programmers are not taught about computer security and secure development lifecycle (SDL) programming techniques and processes in school. There are only a few colleges in the U.S. that devote an entire course on computer security and secure program to programmers. Most cover it in a few hours as part of some other course, which of course means that it isn’t really covered. We get what we train for. All programmers should strive to learn as much as they can about SDL techniques, tools, and processes as they can. It will make them better programmers and more valuable to their employers. Best yet, they’ll get paid more and make more secure software for the world. It’s win-in. But this has been the case for decades and I’m not sure what catalyst is needed to get software development companies and programmers more self-interested in being more secure from the start. Things are pretty bad out there and have been for a long time. It’s a bit scary to think about what it would take to make them care more.”
Jason Kent, Hacker in Residence at Cequence Security, notes that there have not been many changes in the period from 2011 to 2019: “Often when these sorts of lists are refreshed we don’t see huge sweeping changes, usually there is a little bit of shifting around. After 8 years, from 2011 until now, I would expect a noticeable change and given they also changed the criteria they used for the list. I didn’t really see a huge change but what I see is characteristic of something we have been saying for a long time now. The first 3 items on the list are about validating the input of an end user and controlling that input through the entirety of the system. As we have moved forward through time we have built more and more complex systems and are taking input from a user somewhere and using that input in other parts of the system.”
A new culture of software error mitigation
The goal of releasing this list of the most common vulnerabilities and exposures is to help provide guidance to software developers, testers, evaluators, security researchers and educators. The hope is that circulation of this list of common software vulnerabilities will eliminate many of the weaknesses now commonly found in software in the marketplace. It is far easier to debug, fix and patch software before it goes to market.
This new culture of software error mitigation is especially important for certain industries, such as the healthcare industry, which has historically struggled with patching and overuse of legacy platforms. Once software vulnerabilities are introduced into a healthcare IT system, then, it is much more difficult to make the requisite security fixes. As a result, CISA encourages users and administrators to review the Top 25 list and then evaluate recommended mitigations for each of them.
Coordination between private and public sector entities
One encouraging result of the Department of Homeland Security once again deciding to publish the list of Top 25 software vulnerabilities after a quiet period of 8 years is that it means we could be seeing greater coordination between the private and public sector moving forward. That is especially important in certain industries, such as transportation, healthcare and infrastructure. Being able to eliminate harmful software errors in these industries would have a tremendous impact on both cyber security and national security.