Sign In

Communications of the ACM

ACM Careers

Top 25 Most Dangerous Software Errors

View as: Print Mobile App Share: Send by email Share on reddit Share on StumbleUpon Share on Hacker News Share on Tweeter Share on Facebook
pop-up window: Top 25 most dangerous software errors

From smartphone games and personal email accounts to international banking and hospital records, software is pervasive. It entertains, boosts efficiency, and even saves lives. Unfortunately, for every new program developed, there is likely a hacker ready to disrupt and exploit it. That's why it is vital for software designers, developers, and cybersecurity experts to keep apprised of potential weaknesses that could cause substantial damage to their computer systems.

The Common Weakness Enumeration list of the 25 most dangerous software errors is a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in software. The Homeland Security Systems Engineering and Development Institute (HSSEDI), which is managed by the U.S. Department of Homeland Security Science and Technology Directorate and is operated by MITRE, recently updated the top 25 CWE list for the first time in eight years.

"This list is an important tool for improving cybersecurity resiliency," says Scott Randels, Director of S&T's Federally-Funded Research and Development Centers, which manages HSSEDI. "I'm excited about our ongoing collaboration with HSSEDI and the vast mitigation potential of this product."

HSSEDI provides specialized independent and objective expertise for addressing national homeland security needs in a number of vital areas, including information technology, communications, and cybersecurity.

In addition to being a useful guidance document, the 2019 CWE list is an important proof-of-concept. Back in 2011, analysts used a subjective approach, conducting personal interviews and surveys of industry experts to compile the list. And while that was an effective way to produce the top 25 list then, cybersecurity demands constant improvement. This time, analysts used a data-driven approach based on real-world vulnerabilities reported by security researchers.

"We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world," says CWE project leader Chris Levendis. "We will continue to mature the methodology as we move forward."

The CWE team, which is sponsored by the DHS Cybersecurity and Infrastructure Security Agency's Cybersecurity Division, leveraged approximately 25,000 Common Vulnerabilities and Exposures entries from the past two years. Common Vulnerabilities and Exposures data are submitted by volunteers around the world who have demonstrated mature vulnerability management practices and a commitment to cybersecurity.

Common Vulnerabilities and Exposures data are published in the National Vulnerability Database, which is a product of the National Institute of Standards and Technology's Information Technology Laboratory and is also sponsored the CISA Cybersecurity Division. CISA requested HSSEDI take on the important task of updating the list.­

The ranking system used to determine the top 25 most dangerous software errors was based on a formula that accounted for prevalence and severity. Weaknesses that are both common and can cause significant harm received a high score, while issues that are rarely exploited or have a low impact were filtered out.

As a result, the 2019 list identified a new top weakness: "Improper Restriction of Operations within the Bounds of a Memory Buffer." The previous top weakness, "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" dropped down to the number six spot.

The pervasive use of software on personal computing devices and by businesses makes the CWE top 25 list a vital resource that enhances resiliency of cyber systems.

"Eliminating weaknesses prior to software entering the marketplace is an important step in reducing the attack surface which better protects everybody, anywhere in the world," Levendis says.


No entries found