top 25 most important software weaknesses

There are many vulnerabilities that can affect security in our day to day. Many failures that make the software we use, network connections or the devices we use can be a threat. In this article we echo a list published by MITER that shows the 25 main software weaknesses that are the cause of the serious vulnerabilities that can affect our security. Let's talk about it.

25 most important software weaknesses

There are many errors that can affect the programs we use, the tools that our devices have. It is something that is present in our day to day. However, there are times when these vulnerabilities may represent a more important threat.

MITER , an American company dedicated to systems engineering, research and development, has released a list of the 25 most important software vulnerabilities. They indicate that these errors can be easily exploited and, ultimately, be used by a possible attacker to have control of a system.

Due to these vulnerabilities that are considered important, an attacker could steal confidential data, make the proper functioning of certain software impossible, or cause various attacks.

The main objective of MITRE in making this list public is that software developers have it as a guide to control these vulnerabilities . This way they can create more secure software that does not put the security of users at risk, or at least reduce it as much as possible.

Keep in mind that these 25 vulnerabilities are not the result of chance or what they believe. To reach this conclusion they have applied a formula that uses different scores to give a final assessment to each one. In this way they can draw up the definitive list with which they can have a higher level of prevalence and also represent a greater danger.

To create this list have been based on vulnerabilities around the world. They have given a denomination to each of them and together with each one they have put the valuation, the CVSS score, which is what allows to know which are the most dangerous and, in short, with which the developers have to be more careful.

Main vulnerabilities according to MITER

If we start with the top 5 we can say that the most important vulnerability for MITRE and the one with the highest CVSS score is the incorrect restriction of operations within the limits of a memory buffer . He has been assigned the name of CWE-119 and has a score of 75.56.

The second is the inappropriate neutralization of the input during the generation of the website . It has a rating of 45.69 and has been referred to as CWE-79.

The following are, respectively, the incorrect input validation , which has qualified it with a score of 43.61 and has called it CWE-20; the exposure of information , called CWE-200 and a score of 32.12 and, closing the top 5, the vulnerability CWE-125 called reading out of bounds and with a score of 26.53.

  • These are the five main vulnerabilities according to MITER. However, in total they have released a list with 25. The remaining 20 are the ones mentioned below:
  • CWE-89 Incorrect neutralization of special elements used in an SQL command ("SQL Injection") 24,54
  • CWE-416 Use after free version 17.94
  • CWE-190 Entire Overflow 17,35
  • CWE-352 cross-site request forgery 15.54
  • CWE-22 Incorrect limitation of a path name to a restricted directory 14.10
  • CWE-78 Incorrect neutralization of special elements used in an operating system command 11,47
  • CWE-787 Writing out of bounds 11.08
  • CWE-287 Incorrect authentication 10.78
  • CWE-476 No cursor reference 9.74
  • CWE-732 Incorrect permission assignment for critical resource 6.33
  • CWE-434 Unrestricted upload of files of dangerous type 5.50
  • CWE-611 Incorrect XML restriction External entity reference 5.48
  • CWE-94 Improper control of code generation ("Code injection") 5.36
  • CWE-798 Use of coded credentials 5.12
  • CWE-400 Consumption of uncontrolled resources 5.04
  • CWE-772 Resource release is lacking after life 5.04
  • CWE-426 Unreliable search path 4.40
  • CWE-502 Deserialization of unreliable data 4.30
  • CWE-269 Inadequate privilege management 4.23
  • CWE-295 Incorrect validation of certificate 4.06
Previous Post Next Post