A new year is a time for reflection. Looking at what happened in the prior year and setting goals for the future year. This applies to all activities, including software weaknesses. The Cybersecurity and Infrastructure Security Agency (CISA) released the 2024 version of the Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list. This list spotlights the types of critical weaknesses that expose software systems to exploitation. CISA urges organizations to review the list and prioritize these weaknesses in development and procurement processes. The top three weaknesses in 2024, cross-site scripting, out-of-bounds write, and SQL injection, were the same as in 2023, with the top two spots swapping places.
Understanding the CWE Top 25 List
The CWE is a community-developed taxonomy or dictionary of common software weaknesses. A weakness is a condition within a component that, under certain circumstances, can lead to security issues. The CWE is based on the concept that vulnerabilities have the same root cause, independent of vendor, coding language, operating system, program, or usage. The CWE contains 940 weaknesses, segmented into four levels, that range from abstract and conceptual to precise and technology- or language-specific. The CWE is different from Common Vulnerability and Exposures (CVE) in that it looks at classes of vulnerabilities, not the specific instance of a vulnerability. A CWE contains numerous specific CVEs.
The Top 25 List of CWEs is an analysis of the CVE dataset over a period of time, in which each CWE is scored by severity and frequency of risk. This year’s dataset included 31,770 CVE Records for vulnerabilities published between June 1, 2023, and June 1, 2024. The list can be used by organizations and developers to prioritize which classes of weaknesses they should be emphasizing as they develop software and products.
A scoring system is used to calculate the rank order of weaknesses. Each CWE is scored by frequency (the number of times a CWE is the root cause of a vulnerability) and severity (the average of the Common Vulnerability Scoring System (CVSS) ranking of all the CVE records included within a single CWE). The level of danger presented by a particular CWE referred to as the Danger Score, is determined by multiplying the frequency and severity scores. "Weaknesses that were rarely discovered will not receive a high-frequency score, regardless of the typical consequence associated with any exploitation," the list's methodology page explained. "Weaknesses that are both common and caused significant harm will receive the highest scores."
CWE Top List Trends Over Time
Comparing the 2023 list with the 2024 CWE Top 25 version shows few changes. The same three weaknesses that were most dangerous in 2023 remained so in 2024. Cross-site scripting moved into the top spot, and the previous year's number one, out-of-bounds write, dropped a spot. SQL injection remained in the bronze position. 23 of the 25 are present on both lists. The new CWEs in 2024 were number 17: exposure of sensitive information to an unauthorized actor and number 24: uncontrolled resource consumption.
Looking at the CWE Top 25 List from five years ago provides some interesting data. The 2024 list contains 21 holdovers from 2019. The positions of the weaknesses are significantly different, with the exception of cross-site scripting. This year’s top risk was in the number two position in 2019. A significant difference between the two lists is the average danger score is significantly lower in the most recent list. In 2019, the average score was 16.4, and in 2024, it is 11.7. This represents a 40% drop in the overall danger score. This could signify that organizations are utilizing the CWE Top 25 as they work to improve the security of software.
Why Software Vulnerabilities Continue to Exist
Software is used extensively, and the growth in cloud computing and the Internet of Things (IoT) is ensuring that more software is required. This growth in software encourages developers to write code software quickly. The use of AI-enhanced tools will improve code creation speed. The pressure to release software can result in security not being prioritized. This situation is most likely the primary reason software is released with vulnerabilities.
Additional factors on why software is released with coding weaknesses is a lack of knowledge of secure coding practices. As the CWE Top 25 list illustrates, most software weaknesses are well established, but many developers are not trained in how to write secure code. Software is also not tested for security as robustly as it should be. The quality control activity needs to include security along with functionality testing.
Software Vulnerability Mitigation Strategies
According to the CISA, the purpose of the CWE Top 25 list is to provide data on the most common types of software errors, allowing developers and engineers to focus on avoiding those problems in the products and systems they build. By providing insights into the common root causes of vulnerabilities, organizations can optimize their software development life cycle (SDLC) to eliminate entire classes of defects. The CWE list can be a starting point for organizations that aren't sure where to begin when it comes to application security.
The CWEs provide considerable information on prevention and remediation steps to mitigate or eliminate weaknesses. For example, the entry on cross-site scripting has potential mitigation suggestions for 12 phases of the SDLC where the fix may be applied. A sample entry under implementation is to "assume all input is malicious. Use an "accept known good" input validation strategy ... Reject any input that does not strictly conform to specifications or transform it into something that does.”
There are many activities organizations can take to improve software development. Brandon Potter, CTO of ProCircular, highlights that “organizations must address these risks by reinforcing secure coding standards and integrating both static and dynamic security testing into their build processes. Annual penetration testing, performed by experts, is also critical to uncovering vulnerabilities that automated tools may miss.” He also emphasized that organizations must foster a security-first culture.
Future Outlook
The CWE list is a valuable metric for measuring software security. Comparisons across the years offer some encouragement that software security has improved as the average danger score for the top 25 CWEs has dropped significantly. Software developers are striving to improve the quality of their software by reducing the incidents of the most common software errors. More effort needs to be made, but the foundation for improvement exists.
CISA’s Secure by Design and Secure by Demand initiatives encourage the building and procurement of secure software by providing best practices and guidance. As these efforts grow, it should lead to further reductions in the CWE scores. In a world where automation can discover and exploit software errors quickly and efficiently, it is critical that developers and companies use all of the tools available to remove weaknesses during design before they are incorporated into production software.
Time will tell, but the future is looking better as more developers and companies strive to improve overall software resilience by prioritizing the eradication of the weaknesses highlighted within the CWE Top 25 list.
