www.helpnetsecurity.com
Open in
urlscan Pro
54.71.215.219
Public Scan
URL:
https://www.helpnetsecurity.com/2024/12/02/alec-summers-mitre-cwe-top-25-2024/
Submission: On December 03 via api from TR — Scanned from GB
Submission: On December 03 via api from TR — Scanned from GB
Form analysis
1 forms found in the DOMPOST
<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
<div class="mc4wp-form-fields">
<div class="hns-newsletter">
<div class="hns-newsletter__top">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__title">
<i>
<svg class="hic">
<use xlink:href="#hic-plus"></use>
</svg>
</i>
<span>Cybersecurity news</span>
</div>
</div>
</div>
</div>
<div class="hns-newsletter__bottom">
<div class="container">
<div class="hns-newsletter__wrapper">
<div class="hns-newsletter__body">
<div class="row">
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
<label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
</div>
</div>
<div class="col">
<div class="form-check form-control-lg">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
<label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
</div>
</div>
</div>
</div>
<div class="form-check form-control-lg mb-3">
<input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
<label class="form-check-label" for="mcs3">(IN)SECURE - editor's choice selection of topics (twice per month)</label>
</div>
<div class="input-group mb-3">
<input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
<button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
</div>
<div class="form-check">
<input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
<label class="form-check-label" for="mcs4">
<span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms & conditions</a>
</span>
</label>
</div>
</div>
</div>
</div>
</div>
</div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
value="1733191849"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
<div class="mc4wp-response"></div>
</form>
Text Content
Help Net Security newsletters: Latest news, cybersecurity jobs, open source – subscribe here! * News * Features * Expert analysis * Videos * Events * Whitepapers * Industry news * Product showcase * Newsletters * * * Please turn on your JavaScript for this page to function normally. Mirko Zorz, Director of Content, Help Net Security December 2, 2024 Share INSIDE THE 2024 CWE TOP 25: TRENDS, SURPRISES, AND PERSISTENT CHALLENGES In this Help Net Security interview, Alec Summers, Project Leader for the CVE Program at MITRE, shares his insights on the 2024 CWE top 25 most dangerous software weaknesses. He discusses the impact of the new methodology that involves the CNA community and highlights the persistent vulnerabilities that continue to make the list year after year. Summers also touches on the role of AI tools in identifying vulnerabilities and the importance of root cause mapping for improving cybersecurity efforts. WHAT ARE SOME FUNDAMENTAL CHANGES OR TRENDS OBSERVED IN THE 2024 CWE TOP 25 COMPARED TO PREVIOUS YEARS? This year we had a new methodology that democratized data analysis with the CNA community. We are really excited about that because CVE Numbering Authorities (CNAs) are the authoritative voice on vulnerabilities within their CNA scope, closest to the products themselves, and better positioned than downstream third-party analysts to provide and review CWE mappings. While there’s a lot of minor movement within the ranks this year, it’s still largely a similar set of CWEs that we’ve seen over the years. There’s still a long way to go in resolving these stubborn weaknesses, even for those that have been known for decades. HOW DOES THE GROWING PREVALENCE OF AI-ASSISTED CODING INFLUENCE THE WEAKNESSES IDENTIFIED IN THE LIST? Our analysis does not take into account which vulnerabilities were the result of AI-assisted coding tools due primarily to the fact that it is very difficult to discern in the data. That said, we are aware of studies indicating that AI-assisted coding can produce weaknesses already covered by CWE, i.e., AI-assisted coding can make the same mistakes that humans do. WHICH SOFTWARE WEAKNESSES FROM THIS YEAR’S LIST ARE THE MOST SURPRISING OR CONCERNING TO YOU? WHY? While we see a bit of movement in rankings throughout the list for sure, we also continue to see the presence of the “usual suspects” (e.g., CWE-79, CWE-89, CWE-125). It’s an ongoing concern that these and other stubborn weaknesses remain high on the Top 25 consistently. That said, the rise of CSRF near the top of the rankings is a little surprising. This might reflect a greater emphasis on CSRF by vulnerability researchers or maybe there are improvements in CSRF detection, or maybe more adversaries are focusing on this kind of issue. We can’t be completely sure why it jumped the way it did. HOW CAN ORGANIZATIONS EFFECTIVELY LEVERAGE AI TOOLS TO IDENTIFY AND ADDRESS VULNERABILITIES RATHER THAN INADVERTENTLY INTRODUCING THEM? There are likely to be continued improvements in AI’s ability to help developers identify weaknesses in their code. Different kinds of tools have different capabilities, and it is generally good to be using a combination of tools versus relying on any one in particular. WHAT IMPROVEMENTS COULD BE MADE TO THE CWE TOP 25 TO MAKE IT EVEN MORE IMPACTFUL FOR FUTURE CYBERSECURITY EFFORTS? The CWE Top 25 is calculated by examining the available root cause mapping data within publicly available CVE Record information. Thus, the more CNAs that adopt CWE mapping as part of their vulnerability disclosure, and the more specific they are in their mappings, the more specific and valuable the Top 25 will be. We are seeing more and more CNAs take on root cause mapping with CWE, and we are encouraged by that. Overall, here are two key points for this list: 1. Language: Too often cybersecurity issues are approached from the attacker’s perspective (e.g., Cross-Site Scripting). It is equally, if not more important for product developers, to think more about cybersecurity from the “weakness” perspective (e.g., CWE-79: Improper Neutralization of Input During Web Page Generation). Root cause mapping with CWE encourages a valuable feedback loop into an organization’s SDLC and architecture design planning, which in addition to increasing product security can also save money: the more weaknesses avoided in your product development, the less vulnerabilities to manage after deployment. 2. Action: Root cause mapping is best done by those closest to the products themselves: CNAs are the authoritative voice on vulnerabilities within their CNA scope and better positioned than downstream third-party analysts to provide and review CWE mappings. We are thrilled with the continued adoption of this practice among CNAs as a routine part of their vulnerability disclosure (see the CVE Program’s CNA Enrichment Recognition List at the bottom of their regularly published metrics.) More about * artificial intelligence * CNA * CVE * cybersecurity * MITRE * opinion * vulnerability management Share FEATURED NEWS * The shocking speed of AWS key exploitation * AWS offers incident response service * 5 reasons to double down on network security How to leverage the 2024 MITRE ATT&CK Evaluation results RESOURCES * Download: The Ultimate Guide to the CISSP * Whitepaper: Securing GenAI * Report: Voice of Practitioners 2024 – The True State of Secrets Security DON'T MISS * The shocking speed of AWS key exploitation * 5 reasons to double down on network security * Inside the 2024 CWE Top 25: Trends, surprises, and persistent challenges * How AI is transforming human risk management * The effect of compliance requirements on vulnerability management strategies Cybersecurity news Daily Newsletter Weekly Newsletter (IN)SECURE - editor's choice selection of topics (twice per month) Subscribe I have read and agree to the terms & conditions Leave this field empty if you're human: © Copyright 1998-2024 by Help Net Security Read our privacy policy | About us | Advertise Follow us ×