The top 25 most dangerous errors found in the CVE repositories were just published, and they show some interesting and surprising trends over the past decade.
The first place in the Top 25 Most Dangerous Software Errors listed by the Common Weakness Enumeration (CWE) is taken by “Improper Restriction of Operations within the Bounds of a Memory Buffer,” followed by cross-site scripting, and improper input validation.
“These weaknesses are often easy to find and exploit. They are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working,” reads the CVE’s announcement. The CWE Top 25 is a community resource used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry.
Some of the CVEs are new to the list, and many otherwise common vulnerabilities in the lists from 2010 or 2011 have disappeared. A few of the known vulnerabilities stuck around, but others were phased out by time and development.
For example, in 2011, the list still included “use of a one-way hash without a salt.” But the numerous hacks and leaks of the past few years took care of that security aspect. No one uses unsalted passwords for their services anymore.
On the other hand, the famous SQL injection CVE still hangs out at the top, but it’s interesting to see it drop it to number six after remaining one of the main issues in the past few years.
Over the past couple of years, the CVE team handled approximately 25,000 Common Vulnerabilities and Exposures that were submitted from volunteers from around the world, and the top is calculated from that pool.