I just had a look at the current version, the 2024 edition, of the CWE Top 25 Most Dangerous Software Weaknesses. Based on the Common Weakness Enumeration weakness types, this list is updated regularly and reflects the most relevant weaknesses in software. Since 2019 this list is updated annually based on the recently observed vulnerabilities (documented as CVEs) and their mapping to weaknesses (CWE IDs) that resulted in these vulnerabilities.
The current version was published in mid-December 2024, and a look at the top weaknesses shows the same problems as every year. Back in pole position is CWE-79 (cross-site scripting), with CWE-787 (out-of-bounds write) in second place and CWE-89 (SQL injection) taking third place.
We can conclude that
- web applications are still a primary target,
- many applications are still based on relational databases using a SQL interface,
- and we still have much code written in C/C++ using pointers.
Ok, that’s no surprise, but why is this the case? Are we still using so much legacy code, or is new software still developed, making the same mistakes as always? Don’t we have great programming languages and frameworks that will make it nearly impossible to run into these standard problems? Why are software developers not using these programming languages and frameworks? Probably, it’s a combination of both: A lot of software is still based on code developed 20 or more years ago, and switching to new programming languages and frameworks is not that easy.
Looking at the CWE Top 25 lists from the start in 2009 to the 2024 edition, we can certainly see that all the weaknesses can be broadly grouped into four categories:
- improper or missing input validation and output encoding (CWE-20 and CWE-116)
- range errors and improper control of a resource through its lifetime (CWE-118 and CWE-664)
- improper access control (CWE-284)
- improper authentication (CWE-287)
Surely, software developers cannot learn about all the 900+ weakness types listed in the CWE database. But the good news is, they don’t need to. Focusing on the above-mentioned main categories and choosing programming languages and frameworks that help tackle these problems, can probably avoid 99 % of all weaknesses typically leading to the top vulnerabilities.
Maybe some nice AI tools can also help clean up the legacy code, which is still the foundation of many modern applications.
Something has to change if we don’t want to see the same CWE Top 25 entries for the next 15 years.
Overview of acronyms in the information security domain. This page does not aim to provide a complete list but only to provide the most relevant terms. Also, certain general IT, OT and Privacy acronyms are relevant for information security, but this list only provides the specific Information Security Acronyms. Knowing the meaning of these acronyms...Continue reading→
While this website focuses on Information Security Acronyms, some general OT Acronyms, like certain IT and privacy acronyms, are also important to know when trying to understand information security. Therefore, this page also lists some relevant OT Acronyms. Note that this list does not aim to provide a complete list of all possible OT Acronyms...Continue reading→
While this website focuses on Information Security Acronyms, some general Privacy Acronyms, like certain IT and OT acronyms, are also important to know when trying to understand information security. Therefore, this page also lists some relevant Privacy Acronyms. Note that this list does not aim to provide a complete list of all possible Privacy Acronyms...Continue reading→
While this website focuses on Information Security Acronyms, some general IT Acronyms, like certain OT and privacy acronyms, are also important to know when trying to understand information security. Therefore, this page also lists some relevant IT Acronyms. Note that this list does not aim to provide a complete list of all possible IT Acronyms...Continue reading→
When you look at the privacy notices of some online services, you will probably get confronted with long, complicated texts that a normal person would simply scroll over and not read in full. Yet, these privacy notices provide the details on which personal data is used, for which purpose it is used, who is using...Continue reading→
Website/Blog This imprint applies to the content under the domain infosecbleep.net including all subdomains. Social Media This legal notice also applies to my presence on the following social media platforms: LinkedIn: linkedin.com/in/weberheiko Legal Information Name: Heiko Weber Postal Address: Starweg 29, 63768 Hösbach, Deutschland E-Mail: contact@infosecbleep.net
2024 CWE Top 25 – still the same problems in software as always Privacy Icons – why we need them and where to get them TOP 3 Information Security Incidents 2024 Hello world!Continue reading→
You can add comments to certain pages and posts of this blog and send me messages directly via email to contact@infosecbleep.net. Preferably, you should send your email encrypted and signed using PGP. You can find my current public PGP key below or download it here. -----BEGIN PGP PUBLIC KEY BLOCK----- mDMEZ252VhYJKwYBBAHaRw8BAQdArSm3/WKtmpQCHYDqSavPbLvcEGKuR6kzEvKv YY0CPoC0J0luZm9TZWNCTEVFUCA8Y29udGFjdEBpbmZvc2VjYmxlZXAubmV0PoiZ BBMWCgBBFiEEG9ZeY4Pj1GeK+S3iMcK/PCYrLGYFAmdudlYCGwMFCQWqRFoFCwkI BwICIgIGFQoJCAsCBBYCAwECHgcCF4AACgkQMcK/PCYrLGbLxAEAgjNR1oEsqjnn VtKyXHuAd5ZGE0ubcXBvOB4WDzu1vrsA/1BQSNJezqnp4XUQqkpJxNVkvPhWrf8D...Continue reading→
last updated and in effect since: 28-Dec-2024 I operate this blog and act as the data controller for processing your personal data. Heiko Weber, Starweg 29, 63768 Hösbach, Germany You can contact me at: dataprotection@infosecbleep.net
Welcome to InfoSecBLEEP, a blog dedicated to exploring the ever-evolving world of information security and data protection. The blog is authored by Heiko Weber, a seasoned expert with a lifelong passion for safeguarding digital ecosystems and promoting privacy. Born in 1974 in Germany, Heiko currently resides in the Rhein-Main metropolitan area. His journey into the...Continue reading→
