Top 25 Most Dangerous CWE Software Errors, DHS S&T and Mitre

The ranking system used to determine the top 25 most dangerous software errors was based on a formula that accounted for prevalence and severity. Weaknesses that are both common and can cause significant harm received a high score, while issues that are rarely exploited or have a low impact were filtered out. (Courtesy of DHS S&T)
Introduction The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software. (Courtesy of DHS S&T)

From smartphone games and personal email accounts to international banking and hospital records, software is everywhere, entertaining, boosting efficiency, and even saving lives.

Unfortunately, for every new program developed, there is likely a hacker ready to disrupt and exploit it, which why it is vital for software designers, developers, and cybersecurity experts to keep apprised of potential weaknesses that could cause substantial damage to their computer systems.

Courtesy of Mitre

The Common Weakness Enumeration (CWE™) Top 25 Most Dangerous Software Errors (CWE Top 25) is a demonstrative list of the most widespread and critical weaknesses that can lead to serious vulnerabilities in software.

These weaknesses are often easy to find and exploit, and are dangerous because they will frequently allow adversaries to completely take over execution of software, steal data, or prevent the software from working.

The Homeland Security Systems Engineering and Development Institute (HSSEDI), which is managed by the Department of Homeland Security (DHS) Science and Technology Directorate (S&T), which was recently honored with multiple awards in the 2019 ‘ASTORS’ Homeland Security Awards Program, and is operated by MITRE, recently updated the top 25 CWE list for the first time in eight years.

Scott Randels, Director, Federally Funded Research & Development Centers, Program Mgmt Office at U.S. Department of Homeland Security
Scott Randels, Director, Federally Funded Research & Development Centers, Program Mgmt Office at U.S. Department of Homeland Security

“This list is an important tool for improving cybersecurity resiliency,” said Scott Randels, Director of S&T’s Federally-Funded Research and Development Centers, which manages HSSEDI.

“I’m excited about our ongoing collaboration with HSSEDI and the vast mitigation potential of this product.”

HSSEDI provides specialized independent and objective expertise for addressing national homeland security needs in a number of vital areas, including information technology, communications, and cybersecurity.

In addition to being a useful guidance document, the 2019 CWE list is an important proof-of-concept.

Back in 2011, analysts used a subjective approach, conducting personal interviews and surveys of industry experts to compile the list, and while that was an effective way to produce the top 25 list then, cybersecurity demands constant improvement.

This time, analysts used a data-driven approach based on real-world vulnerabilities reported by security researchers.

“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world,” said CWE project leader Chris Levendis.

“We will continue to mature the methodology as we move forward.”

(Hear from the Honorable Bob Work, MITRE Senior Visiting Fellow, on how Federally Funded Research and Development Centers (FFRDCs) and University Affiliated Research Centers (UARCs) are uniquely positioned to help government approach new challenges. Courtesy of Mitre and YouTube. Posted on Feb 27, 2019.)

The CWE team, which is sponsored by the Department of Homeland Security Cybersecurity and Infrastructure Security Agency’s (CISA) Cybersecurity Division, leveraged approximately 25,000 Common Vulnerabilities and Exposures entries from the past two years.

Common Vulnerabilities and Exposures data are submitted by volunteers around the world who have demonstrated mature vulnerability management practices and a commitment to cybersecurity.

Common Vulnerabilities and Exposures data are published in the National Vulnerability Database, which is a product of the National Institute of Standards and Technology’s Information Technology Laboratory and is also sponsored the CISA Cybersecurity Division.

CISA requested HSSEDI take on the important task of updating the list.­

The ranking system used to determine the top 25 most dangerous software errors was based on a formula that accounted for prevalence and severity.

Weaknesses that are both common and can cause significant harm received a high score, while issues that are rarely exploited or have a low impact were filtered out.

As a result, the 2019 list identified a new top weakness: “Improper Restriction of Operations within the Bounds of a Memory Buffer.”

The previous top weakness, “Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)” dropped down to the number six spot.

While terms like “SQL injection” may not be familiar to many, most Americans rely on software in their daily lives.

The pervasive use of software on personal computing devices and by businesses makes the CWE top 25 list a vital resource that enhances resiliency of cyber systems.

“Eliminating weaknesses prior to software entering the marketplace is an important step in reducing the attack surface which better protects everybody, anywhere in the world,” said Levendis.

The CWE Top 25

Below is a brief listing of the weaknesses in the 2019 CWE Top 25, including the overall score of each.

Rank ID Name Score
[1] CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 75.56
[2] CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 45.69
[3] CWE-20 Improper Input Validation 43.61
[4] CWE-200 Information Exposure 32.12
[5] CWE-125 Out-of-bounds Read 26.53
[6] CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 24.54
[7] CWE-416 Use After Free 17.94
[8] CWE-190 Integer Overflow or Wraparound 17.35
[9] CWE-352 Cross-Site Request Forgery (CSRF) 15.54
[10] CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14.10
[11] CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 11.47
[12] CWE-787 Out-of-bounds Write 11.08
[13] CWE-287 Improper Authentication 10.78
[14] CWE-476 NULL Pointer Dereference 9.74
[15] CWE-732 Incorrect Permission Assignment for Critical Resource 6.33
[16] CWE-434 Unrestricted Upload of File with Dangerous Type 5.50
[17] CWE-611 Improper Restriction of XML External Entity Reference 5.48
[18] CWE-94 Improper Control of Generation of Code (‘Code Injection’) 5.36
[19] CWE-798 Use of Hard-coded Credentials 5.12
[20] CWE-400 Uncontrolled Resource Consumption 5.04
[21] CWE-772 Missing Release of Resource after Effective Lifetime 5.04
[22] CWE-426 Untrusted Search Path 4.40
[23] CWE-502 Deserialization of Untrusted Data 4.30
[24] CWE-269 Improper Privilege Management 4.23
[25] CWE-295 Improper Certificate Validation 4.06

The CWE Top 25 is a community resource that can be used by software developers, software testers, software customers, software project managers, security researchers, and educators to provide insight into some of the most prevalent security threats in the software industry.

DHS S&T Honored for Fourth Consecutive Year in Annual ‘ASTORS’ Excellence and Government Awards

Sridhar Kowdley, DHS S&T Next-Gen First Responders (NGFR) Program Manager
Sridhar Kowdley, DHS S&T Next-Gen First Responders (NGFR) Program Manager

Department of Homeland Security (DHS) Science and Technology (S&T) Directorate

    • Excellence in Public Safety

    • Next Generation First Responder (NGFR) Program

    • The Next Generation First Responder (NGFR) Program works with first responders across the country to ensure the technology they use while responding to an emergency keeps them better protected, connected and fully aware.

DHS S&T National Urban Security Technology Laboratory (NUSTL)

DHS S&T Office of Mission and Capability Support

The 2019 ‘ASTORS’ Awards Program surpassed expectations with a record number of nominations received from industry leaders and government agencies, and drew over 200 attendees to the ‘ASTORS’ Awards Presentation Banquet – an exclusive gourmet luncheon and networking opportunity which filled to capacity, before having to turn away late registrants.

The 'ASTORS' Awards Luncheon featured an impassioned and compelling keynote address by William (Bill) Bratton, former police commissioner of the NYPD twice, the BPD, and former chief of the LAPD, on the history of policing in America and the evolution of critical communication capabilities in our post 9/11 landscape.
The ‘ASTORS’ Awards Luncheon featured an impassioned and compelling keynote address by William (Bill) Bratton, former police commissioner of the NYPD twice, the BPD, and former chief of the LAPD, on the history of policing in America and the evolution of critical communication capabilities in our post 9/11 landscape.

The event featured an impassioned and compelling keynote address by William J. Bratton, former police commissioner of the New York Police Department (NYPD) twice, the Boston Police Department (BPD), and former chief of the Los Angeles Police Department (LAPD), as he walked attendees through 50 years of American policing history, the impacts on the communities, and the evolution of critical communication capabilities in our post 9/11 landscape.

2019 ‘ASTORS’ Awards Presentation Luncheon. (Front row, left to right), Dr. Kathleen Kiernan, Founder and CEO of Kiernan Group Holdings (KGH); Commissioner Bill Bratton, Executive Chairman of Teneo Risk; John F. Clark, CEO of the National Center of Missing and Exploited Children (NCMEC); (Back row, left to right), David Cagno, Senior VP and Managing Director of Teneo; Bill Rendina, Founder and CEO of Valor Systems, Inc.; Ginger Dhaliwal, Co-Founder and CEO of Upflex; David Song, Chief Marketing Officer at KGH; Kenneth Peterson, Founder and CEO of Churchill & Harriman, Inc.; and Charles Swan, Chief of Engineering, Department of Defense.

Commissioner Bratton, one of the world’s most respected and trusted experts on risk and security issues and Executive Chairman of Teneo Risk a global advisory firm, was recognized as the ‘2019 ‘ASTORS’ Person of the Year’ for his Lifetime of Dedication and Extraordinary Leadership in Homeland Security and Public Safety.

Why the 2019 ‘ASTORS’ Homeland Security Awards Program?

2019 ‘ASTORS’ Homeland Security Awards Luncheon at ISC East

American Security Today’s comprehensive Annual Homeland Security Awards Program is organized to recognize the most distinguished vendors of physical, IT, port security, law enforcement, and first responders, in acknowledgment of their outstanding efforts to ‘Keep our Nation Secure, One City at a Time.’

Over 200 distinguished guests representing Federal, State and Local Governments, and Industry Leading Corporate Firms, gathered from across North America, Europe and the Middle East to be honored among their peers in their respective fields which included: 

  • The Drug Enforcement Administration (DEA)
  • National Center for Missing and Exploited Children (NCMEC)
  • United States Marine Corps
  • The Federal Protective Service (FPS)
  • Argonne National Laboratory (ANL)
  • United States Postal Inspection Service
  • DHS S&T 
  • United States Marshals Service (USMS)
  • The Port Authority of New York & New Jersey Police (PAPD)
  • The Department of Justice (DOJ)
  • The New York State Division of Homeland Security & Emergency Services (NYS DHSES)
  • United States Border Patrol
  • AlertMedia, Ameristar Perimeter Security, Attivo Networks, Automatic Systems, Bellevue University, BriefCam, Canon U.S.A., CornellCookson, Drone Aviation, FLIR Systems, Hanwha Techwin, HID Global, IPVideo Corp., Konica Minolta Business Solutions, LenelS2, ManTech, Regroup Mass Notifications, SafeLogic, SolarWinds, Senstar, ShotSpotter, Smiths Detection, TCOM LP, Trackforce, Verint, and More!

Why American Security Today?

The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast changing security landscape.

The traditional security marketplace has long been covered by a host of publications putting forward the old school basics to what is Today – a fast changing security landscape.

American Security Today is uniquely focused on the broader Homeland Security & Public Safety marketplace with over 75,000 readers at the Federal, State and local levels of government as well as firms allied to government.

American Security Today brings forward a fresh compelling look and read with our customized digital publications that hold readers eyes throughout the story with cutting edge editorial that provides solutions to their challenges.

Harness the Power of the Web – with our 100% Mobile Friendly Publications

AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.
AST puts forward the Largest and Most Qualified Circulation in Government with Over 75,000 readers on the Federal, State and Local levels.

The AST Digital Publications is distributed to over 75,000 qualified government and homeland security professionals in federal, state and local levels.

‘PROTECTING OUR NATION, ONE CITY AT A TIME’

AST Reaches both Private & Public Experts, essential to meeting these new challenges.

Today’s new generation of public safety and security experts need real-time knowledge to deal with domestic and international terrorism, lone wolf attacks, unprecedented urban violence, shifts in society, culture and media bias – making it increasingly difficult for Homeland Security, Law Enforcement, First Responders, Military and Private Security Professionals to implement coordinated security measures to ensure national security and improve public safety.

American Security Today

These experts are from Government at the federal, state and local level as well as from private firms allied to government.

AST provides a full plate of topics in our AST Monthly Magazine Editions, AST Website and AST Daily News Alerts, covering 23 Vital Sectors such as Access Control, Perimeter Protection, Video Surveillance/Analytics, Airport Security, Border Security, CBRNE Detection, Border Security, Ports, Cybersecurity, Networking Security, Encryption, Law Enforcement, First Responders, Campus Security, Security Services, Corporate Facilities, and Emergency Response among others.

AST has Expanded readership into integral Critical Infrastructure audiences such as Protection of Nuclear Facilities, Water Plants & Dams, Bridges & Tunnels, and other potential targets of terrorism.

Other areas of concern include Transportation Hubs, Public Assemblies, Government Facilities, Sporting & Concert Stadiums, our Nation’s Schools & Universities, and Commercial Business Destinations – all enticing targets due to the large number of persons and resources clustered together.

To learn more about the 2019 ‘ASTORS’ Homeland Security Award Winners solutions, Be on the lookout for the 2019 ‘ASTORS’ Championship Edition Magazine – the Best Products of 2019 ‘A Year in Review’.

The ‘ASTORS’ Champion Edition is published annually in December and includes a review of programs, feature details on many of the winning firms, video interviews and more.

To Learn More about advertising opportunities with American Security Today, please contact Michael Madsen, AST Publisher at mmadsen@americansecuritytoday.com.

AST strives to meet a 3 STAR trustworthiness rating, based on the following criteria:

  • Provides named sources
  • Reported by more than one notable outlet
  • Includes supporting video, direct statements, or photos

Subscribe to the AST Daily News Alert Here.