MITRE has released their top 25 list of Common Vulnerability Exposures (CVE’s). The winners were culled from roughly 27,000 CVE’s in the National Vulnerability Database and represent the most common and dangerous weaknesses from the last two years (2019-2020). The list provides descriptions and research links for each of the weaknesses with examples of how they might be abused. Excerpt:
… Top 25 Most Dangerous Software Weaknesses (CWE Top 25) is a demonstrative list of the most common and impactful issues experienced over the previous two calendar years.
These weaknesses are dangerous because they are often easy to find, exploit, and can allow adversaries to completely take over a system, steal data, or prevent an application from working. The CWE Top 25 is a valuable community resource that can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.
<p>At a quick glance, 9 of the top 25 current software security weaknesses involved identities in some form: authentication, credential stealing, impersonation and authorization. It is obvious that obtaining credentials into the enterprise, for initial and persistent access to the enterprise, is an objective of the hackers.</p>
<p>Stolen access is the \"gift that keeps on giving\" – allowing hackers the ability to \"land and expand\" across our IT systems by executing known hacker methodologies such as privilege escalation and lateral movement – both essentials in oft-repeated \"Cyber Kill Chain\" that hackers use in APT and other attacks. Keeping a tight rein on access permissions and identities is key to a secure enterprise.</p>
<p>MITRE has updated its list of the 25 most dangerous vulnerabilities, and it contains few surprises. For over a decade, vulnerabilities such as out of bounds reads and writes, cross-site scripting and improper validation have headed this list, and they continue with the current update. This indicates that many developers and testers are still uncertain as to how to handle these conditions and illustrates the importance of supplementing development and testing with an analytics-based approach to identifying and investigating abnormal activity.</p>