MITRE Releases 2019 List of Top Security Weaknesses | Digital Guardian

The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

MITRE Releases 2019 List of Top Security Weaknesses

by Chris Brook on Wednesday September 18, 2019

Contact Us
Free Demo
Chat

MITRE has published a list of the most dangerous software errors - weaknesses that could lead to a critical vulnerability and in turn, code execution and the theft of data, if left unresolved.

Developers and those who work with software should be especially weary of errors in the way software performs on a memory buffer, and how it neutralizes and validates input.

While there many software weaknesses can be indicative of a problem and lead to vulnerabilities further down the road, these in particular are cause for concern, according to a new list released by MITRE this week.

MITRE, the not-for-profit organization that manages the Common Vulnerabilities and Exposures (CVE) list, a dictionary of disclosed cybersecurity vulnerabilities and exposures, published the list, the Top 25 Most Dangerous Software Errors, on Tuesday. The list aggregates the most pressing weaknesses as classified by its Common Weakness Enumeration (CWE™).

Ordinarily, there are a number of different ways to view MITRE’s CWE - users can look at weaknesses commonly introduced during design, during implementation, and in software written in different languages, C++, Java, and PHP for example. This list, updated for the first time since 2011, are labeled dangerous because if left unaddressed, they could let an attacker execute code on the software, steal data, or just prevent the software from working.

The different between this list and the one published nearly a decade ago is that this iteration is actually data-driven, based on CVE advisory data from National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS). 2011's list was based on surveys and interviews carried out by MITRE.

Three misconfigurations - Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Neutralization of Input During Web Page Generation, or Cross-site Scripting (XSS) and Improper Input Validation - take the first three spots.

For the most dangerous weakness, in some languages the direct addressing of memory locations don't automatically ensure locations are valid for the memory buffer being referenced. This can result in read or write operations to be performed on memory locations linked to data structures or internal program data. An attacker could also execute malicious code, change the control flow, read sensitive data, or crash the system.

The rest of the top five is rounded out by common weaknesses including information disclosure and out-of-bounds read.

The full list of MITRE’s most dangerous weaknesses for 2019 are as follows:

RankIDNVD CountAvg CVSSOverall Score
1CWE-11935458.04575.56
2CWE-7934305.77845.69
3CWE-2023607.24243.61
4CWE-20023005.77832.12
5CWE-12514287.24226.53
6CWE-899775.96124.54
7CWE-4167997.27017.94
8CWE-1908679.12917.35
9CWE-3526938.37415.54
10CWE-227597.67914.10
11CWE-784868.36511.47
12CWE-7875107.27511.08
13CWE-2874958.70710.78
14CWE-4765728.1699.74
15CWE-7323348.1886.33
16CWE-4342396.8345.50
17CWE-6112627.9495.48
18CWE-942308.6375.36
19CWE-7982158.7825.12
20CWE-4002886.9805.04
21CWE-7723046.7145.04
22CWE-4262157.8234.40
23CWE-5021778.9214.30
24CWE-2692267.3324.23
25CWE-2952486.6584.06

 

The list assesses each weakness by what MITRE refers to as its frequency, essentially the number of times a weakness is mapped to a CVE within the National Vulnerability Database. A chart on MITRE’s website includes an average CVSS score - something which translates to the severity of the vulnerability - for each weakness.

Developers may find it interesting to review the weaknesses that fell just outside of its top 25, including weaknesses like server-side request forgery (SSRF), missing authentication for critical function, and open redirects.

Tags: Vulnerabilities

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.