CWE Top 25 for 2024: XSS, SQLi, buffer overflows top the list

The full top 25 list is a bit daunting and the assigned scores don’t change all that much once you get past the top offenders, so let’s start with just the top 10 to see what really matters:

Top 10 CWEs for 2024

Web vulnerabilities and memory management flaws hog the limelight

While a number of reshuffles have taken place in the lower part of the list, the highest-scoring weaknesses are basically unchanged since 2023, with Missing Authorization being the only newcomer to the top 10 (replacing Improper Input Validation, which moved down slightly to #12). Looking at the scores, the top three weaknesses are way ahead of the rest:

  • Cross-site scripting (XSS): A web-only weakness covering any type of software flaw that lets an attacker execute unwanted scripts in the user’s browser, including reflected XSS, stored XSS, and DOM-based XSS
  • Buffer overflows: The official name “Out-of-bounds Write” covers a variety of security flaws that enable code to write to memory addresses outside its intended block (buffer), including buffer overflows, buffer underflows, and arbitrary writes. 
  • SQL injection: Allows an attacker to execute database commands by injecting SQL statements into the application via unsanitized inputs. SQL injections are nearly always web-based attacks.

Notably, four of the top five weaknesses represent typical web application vulnerabilities, confirming that web-based software appears in the vast majority of high-impact attacks and attack chains. But it’s not a sports tournament, so the rankings are not as important as how all those numbers are calculated and what they actually tell us.

How CWE Top 25 scores are calculated

The full CWE database (maintained by the MITRE Corporation) provides a taxonomy of all possible software and hardware weaknesses that can lead to security vulnerabilities (CVEs) if exploited and reported. The CWE Top 25 is compiled by analyzing CVE reports over a given period and determining the weaknesses that resulted in those vulnerabilities. Each weakness is then assigned a danger score that is a product of the frequency and average CVSS score of its corresponding vulnerabilities (full methodology here).

Because the final score is calculated by multiplying prevalence by severity, the highest scorers in the CWE Top 25 are weaknesses that frequently lead to severe vulnerabilities. In other words, a weakness that results in severe but rare CVEs and one that results in frequent but low-severity CVEs will both get a low danger score.

CWEs form a complex structure with nested hierarchies and cross-links, muddying the picture for high-level analysis. The CWE Top 25 team mapped all the weaknesses identified in the CVEs being analyzed to a simplified collection of 130 major CWEs and worked with that dataset, often reducing families of related CWEs to the broadest meaningful root cause. In contrast to the two previous editions, the CWE Top 25 for 2024 does not separately count weakness chains but, instead, accounts for all CWEs in a given chain. This would explain why Improper Input Validation has moved down the list despite potentially appearing alongside multiple top 10 items in attack chains.

Major themes in the 2024 CWE Top 25

All the top 25 weaknesses can be broadly assigned to one of three informal categories that tell us a lot about the most vulnerable aspects of the software development process. Interestingly, while the specific CWEs are slightly different than in the previous edition, the number of weaknesses per category remains unchanged:

  • Working with untrusted inputs (11 CWEs, 60% of the total danger score): Any time you’re dealing with input data that could be controlled by an attacker, you have a potential security risk. This includes not just inputs directly received in requests but also file uploads and deserialization of untrusted data.
  • Memory management errors (6 CWEs, 26% of the total danger score): While restricted to programming languages with direct memory access (usually C/C++), insecure memory operations are the #1 avenue for remote code execution, giving such weaknesses and the resulting CVEs a high severity.
  • Access management issues (8 CWEs, 14% of the total danger score): From improper authentication and authorization failures at various levels to exposing sensitive information or failing to limit resource consumption, ensuring correct and secure access to systems and resources is vital to limit exposure to attacks and minimize impact.

Using the CWE Top 25 for 2024 in practice

If nothing else, the CWE top 25 serves as yet another reminder that while chasing the latest and greatest in tech and cybersecurity is always more exciting and newsworthy (looking at you, AI), the majority of high-impact application security incidents are still caused by the oldest security weaknesses known to mankind: XSS, SQL injection, and memory management bugs.

The good news is that if you double down on the three major weakness categories and ensure they are an integral part of your application security program, you can mitigate a lot of risk with relatively little effort:

  • In all software development, treat all incoming data as untrusted and validate it before use. This includes all types of user inputs and file uploads, database queries (to prevent SQL injection), and even local resources like server logs (to prevent deserialization attacks). Use a high-quality app and API vulnerability scanner to find existing vulnerabilities and prevent similar flaws in the future.
  • If you write or maintain C/C++ software, enforce the use of secure memory management routines and make checking them a separate item in your code reviews, QA, and security testing. This is especially important with software for embedded systems and network appliances that are easy to target but hard to maintain and patch.
  • For all your applications and especially for APIs, incorporate fine-grained access controls at the level of data, application objects, and functions already during design. All resources should (ideally) have a defined, enforced, and tested level of authentication and authorization across all possible access avenues.

So rather than seeing the CWE Top 25 as the same old issues that just won’t go away, think of it as your guide to prioritizing developer training and security testing—and because it’s ranked by real-world impact, a little effort can go a long way to making real-life improvements to your security posture.


Frequently asked questions

What’s the difference between CWE and CVE?

CWEs are potential weaknesses while CVEs are reported vulnerabilities in specific products. The CWE list (Common Weakness Enumeration) is a taxonomy of software and hardware security weaknesses that could result in vulnerabilities if implemented in production. The CVE database (Common Vulnerabilities and Exposures) is a list of actual security defects that were found and reported.
 
Learn more about automatically finding both CWEs and CVEs

What’s the difference between OWASP Top 10 and CWE Top 25?

Both lists analyze CVEs and CWEs but differ in scope and purpose. The OWASP Top 10 is only for web applications and groups CWEs into broader categories that are then ranked. The CWE Top 25 covers all types of software and lists individual CWEs based on the severity and frequency of CVE records from the NVD that arose from a specific CWE.
 
Read more about the OWASP Top 10 for 2021

Does the CISA KEV list affect scores in the CWE Top 25?

Not directly, but KEV presence is specified alongside CWE danger scores for reference. The Known Exploited Vulnerabilities (KEV) list maintained by the US Cybersecurity and Infrastructure Security Agency highlights severe CVEs known to be exploited in the wild. In the 2024 CWE Top 25, Out-of-bounds Write has the highest KEV presence (18 CVEs).
 
Read more about the MOVEit Transfer breaches, one of the most serious KEV items in 2023 and 2024

The post CWE Top 25 for 2024: XSS, SQLi, buffer overflows top the list appeared first on Invicti.

Post a Comment

0 Comments