The Common Weakness Enumeration (CWE), a community-developed compilation of the most critical errors leading to vulnerabilities in software, has lowered SQL Injection from its #1 spot as the most dangerous attack technique.
SQL Injection, one of the oldest and most prevalent hacking techniques, enables attackers to spoof identity, change or destroy data, leak data, void transactions or change balances, and even gain administrator privileges on the database server.
It’s perhaps no surprise, then, that communities like the Open Web Application Security Project (OWSAP) and the Common Weakness Enumeration (CWE) have long listed SQL Injection as the top attack vector in hacks exploiting software vulnerabilities. However, this is no longer the case.
According to a recent update by the CWE, a new data-driven technique is being used to rank the severity of software flaws, leading to a shift in ranking for some of the most common and most dangerous vulnerabilities.
“Back in 2011, analysts used a subjective approach, conducting personal interviews and surveys of industry experts to compile the list,” according to a report by the U.S. Department of Homeland Security, whose Science & Technology Directorate recently updated the top 25 CWE list for the first time in eight years.
“And while that was an effective way to produce the top 25 list then, cybersecurity demands constant improvement. This time, analysts used a data-driven approach based on real-world vulnerabilities reported by security researchers,” the DHS says.
According to CWE project leader Chris Levendis, the group shifted to a data-driven methodology “because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world.”
“We will continue to mature the methodology as we move forward,” Levendis said.
The 2019 CWE Top 25, which uses data gathered between 2017 and 2018, consists of approximately 25,000 Common Vulnerabilities and Exposures (CVEs).
According to the report, the new ranking is based on a formula that accounts for prevalence and severity. The list prioritizes weaknesses that are both common and can cause significant harm. Also, the formula leaves out issues that are rarely exploited or have little impact.
As a result, the 2019 list identifies “Improper Restriction of Operations within the Bounds of a Memory Buffer” as the new top weakness, followed by Improper Neutralization of Input During Web Page Generation (Cross-site Scripting). In third place comes Improper Input Validation, followed by Information Exposure and Out-of-bounds Read.
Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) moves down five positions to the sixth spot. The updated list can be found over at cwe.mitre.org.