The Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by MITRE, today released the 2020 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. The Top 25 uses data from the National Vulnerability Database (NVD) to compile the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition.
The new list of the top 25 most dangerous software weaknesses from the Homeland Security Systems Engineering and Development Institute contains many well-known vulnerabilities that have been targeted by cybercriminals for over a decade now. Injections top the list of the OWASP Top 10 Web Application Security Risks, and feature prominently on this list as well. Many other items on the list also match closely with the OWASP Top 10. These aren’t new risks, so why have organizations failed to find these problems before releasing code to production, or failed to protect these vulnerabilities against attack in production? Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect. The National Institute of Standards and Technologies (NIST) has recognized these shortcomings as well, and as a result, recently updated draft 5 of the SP800-53 application security framework to include RASP (Runtime Application Self Protection) and IAST (Interactive Application Security Testing) to better protect against these critical software weaknesses.