- ITDM 2025 전망 | “비전을 품은 기술 투자, 모두가 주춤한 시기에 진가 발휘할 것” 컬리 박성철 본부장
- 최형광 칼럼 | 2025 CES @혁신기술 리터러시
- The Model Context Protocol: Simplifying Building AI apps with Anthropic Claude Desktop and Docker | Docker
- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
MITRE Announces Most Dangerous Software Weaknesses
The US government has published a list of the most “common and impactful” software weaknesses of the past two years.
The CWE Top 25 list was announced by the Homeland Security Systems Engineering and Development Institute, sponsored by the Department of Homeland Security and operated by non-profit MITRE.
Read more on CWEs: MITRE Names 2019’s Most Dangerous Software Errors
Software weaknesses are errors, bugs, flaws and more that can lead to vulnerabilities. Unlike the Common Vulnerabilities and Exposures (CVE) system, which provides a number for each discovered vulnerability, Common Weakness Enumeration (CWE) is more like a glossary of generic weakness types. In other words, it refers to types of software weakness rather than specific vulnerabilities.
Top of the newly published list is out-of-bounds write, followed by cross-site scripting and SQL injection.
“The CWE Top 25 is calculated by analyzing public vulnerability data in the National Vulnerability Data (NVD) for root cause mappings to CWE weaknesses for the previous two calendar years. These weaknesses lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, steal data, or prevent applications from working,” explained the US Cybersecurity and Infrastructure Agency (CISA).
“The 2023 CWE Top 25 also incorporates updated weakness data for recent CVE records in the dataset that are part of CISA’s Known Exploited Vulnerabilities Catalog (KEV).”
CISA urged developers and product security teams to review the top 25 list and decide which of the recommended mitigations to adopt.
It explained that more articles will be published over the coming weeks to explain the methodology for calculating the top 25, vulnerability mapping trends and more.
Other useful topics will include weaknesses that didn’t make it into the list but are still worth looking out for, trends in real-world CWEs and a list of CWEs ranked by CISA’s KEV.
CWEs are becoming increasingly important as developers and security teams look to avoid the root causes that can become vulnerabilities. In 2022, a record number (25,096) of CVEs were published to the NVD. This was a 25% year-on-year increase and the sixth year in a row that the volume of newly discovered vulnerabilities hit an all-time high.