SQL injection errors are no longer considered the most severe or prevalent software security issue.
Replacing it at the top of the Common Weakness Enumeration (CWE) list of most dangerous software errors is “Improper Restriction of Operations within the Bounds of a Memory Buffer.” Cross-site scripting (XSS) errors rank second on the list, followed by improper input validation, information exposure, and out-of-bounds read errors. SQL injection flaws are now ranked sixth on the list of most severe security vulnerabilities.
The Department of Homeland Security’s Systems Engineering and Development Institute, operated by The MITRE Corp., this week released an updated top 25 CWE listing of software errors. The update is the first in eight years and ranks security vulnerabilities based on prevalence and severity.
The CWE team looked at a dataset of some 25,000 Common Vulnerabilities and Exposures (CVE) entries over the past two years and focused on security weaknesses in software that are both common and have the potential to cause significant harm. Issues that have a low impact or are rarely excluded were filtered out.
In the past, the compilers of the CWE list used a more subjective approach based on personal interviews and surveys of industry experts.
“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world,” Chris Levendis, CWE project leader, said in a statement Wednesday. “We will continue to mature the methodology as we move forward.”
Lists like the CWE and the Open Web Application Security Project (OWASP)’s top software security vulnerabilities are designed to raise awareness of common security missteps among developers. The goal is to help developers improve software quality and to assist them and testers in verifying security issues in their code. But over the years, the entries in these lists have changed little, suggesting that developers are repeatedly making the same mistakes.
“This highlights the unfortunate reality that despite many efforts, security is not being embedded effectively enough within the developer community, or in enterprise assurance frameworks,” says Javvad Malik, a security awareness advocate at KnowBe4. “It’s not that we are unaware of how to identify and remedy the issues or prevent them from occurring in the first place; there appears to be a culture where getting software shipped outweighs the security requirements,” he notes.
According to Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, the new list and risk-ranking approaches make a lot of sense overall. However, some of the entries in the list are likely to cause some controversy, Kolochenko says.
Cross-site scripting errors, for example, while common are not particularly easy to exploit. “Successful exploitation of an XSS, unless it’s a stored one, always requires at least a modicum of social engineering and interaction with a victim,” he says.
One could potentially make similar comments about all other entries, arguing about the prevalence of the vulnerabilities in business-critical systems, ease of detection and exploitation, costs of prevention, and remediation time. “We will unlikely have a unanimous opinion on all of them,” Kolochenko says. “This is why it’s good to have different classifications and ratings that, once consolidated, provide a comprehensive overview of the modern-day vulnerability landscape.”