www.helpnetsecurity.com Open in urlscan Pro
54.71.215.219  Public Scan

URL: https://www.helpnetsecurity.com/2024/12/02/alec-summers-mitre-cwe-top-25-2024/
Submission: On December 03 via api from TR — Scanned from GB

Form analysis 1 forms found in the DOM

POST

<form id="mc4wp-form-1" class="mc4wp-form mc4wp-form-244483 mc4wp-ajax" method="post" data-id="244483" data-name="Footer newsletter form">
  <div class="mc4wp-form-fields">
    <div class="hns-newsletter">
      <div class="hns-newsletter__top">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__title">
              <i>
                        <svg class="hic">
                            <use xlink:href="#hic-plus"></use>
                        </svg>
                    </i>
              <span>Cybersecurity news</span>
            </div>
          </div>
        </div>
      </div>
      <div class="hns-newsletter__bottom">
        <div class="container">
          <div class="hns-newsletter__wrapper">
            <div class="hns-newsletter__body">
              <div class="row">
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="520ac2f639" id="mcs1">
                    <label class="form-check-label text-nowrap" for="mcs1">Daily Newsletter</label>
                  </div>
                </div>
                <div class="col">
                  <div class="form-check form-control-lg">
                    <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="d2d471aafa" id="mcs2">
                    <label class="form-check-label text-nowrap" for="mcs2">Weekly Newsletter</label>
                  </div>
                </div>
              </div>
            </div>
            <div class="form-check form-control-lg mb-3">
              <input class="form-check-input" type="checkbox" name="_mc4wp_lists[]" value="28abe5d9ef" id="mcs3">
              <label class="form-check-label" for="mcs3">(IN)SECURE - editor's choice selection of topics (twice per month)</label>
            </div>
            <div class="input-group mb-3">
              <input type="email" name="email" id="email" class="form-control border-dark" placeholder="Please enter your e-mail address" aria-label="Please enter your e-mail address" aria-describedby="hns-newsletter-submit-btn" required="">
              <button class="btn btn-dark rounded-0" type="submit" id="hns-newsletter-submit-btn">Subscribe</button>
            </div>
            <div class="form-check">
              <input class="form-check-input" type="checkbox" name="AGREE_TO_TERMS" value="1" id="mcs4" required="">
              <label class="form-check-label" for="mcs4">
                <span>I have read and agree to the <a href="https://www.helpnetsecurity.com/newsletter/" target="_blank" rel="noopener" class="d-inline-block">terms &amp; conditions</a>
                </span>
              </label>
            </div>
          </div>
        </div>
      </div>
    </div>
  </div><label style="display: none !important;">Leave this field empty if you're human: <input type="text" name="_mc4wp_honeypot" value="" tabindex="-1" autocomplete="off"></label><input type="hidden" name="_mc4wp_timestamp"
    value="1733191849"><input type="hidden" name="_mc4wp_form_id" value="244483"><input type="hidden" name="_mc4wp_form_element_id" value="mc4wp-form-1">
  <div class="mc4wp-response"></div>
</form>

Text Content


Help Net Security newsletters: Latest news, cybersecurity jobs, open source –
subscribe here!



 * News
 * Features
 * Expert analysis
 * Videos
 * Events
 * Whitepapers
 * Industry news
 * Product showcase
 * Newsletters

 * 
 * 
 * 


Please turn on your JavaScript for this page to function normally.
Mirko Zorz, Director of Content, Help Net Security
December 2, 2024
Share


INSIDE THE 2024 CWE TOP 25: TRENDS, SURPRISES, AND PERSISTENT CHALLENGES



In this Help Net Security interview, Alec Summers, Project Leader for the CVE
Program at MITRE, shares his insights on the 2024 CWE top 25 most dangerous
software weaknesses. He discusses the impact of the new methodology that
involves the CNA community and highlights the persistent vulnerabilities that
continue to make the list year after year.

Summers also touches on the role of AI tools in identifying vulnerabilities and
the importance of root cause mapping for improving cybersecurity efforts.



WHAT ARE SOME FUNDAMENTAL CHANGES OR TRENDS OBSERVED IN THE 2024 CWE TOP 25
COMPARED TO PREVIOUS YEARS?

This year we had a new methodology that democratized data analysis with the CNA
community. We are really excited about that because CVE Numbering Authorities
(CNAs) are the authoritative voice on vulnerabilities within their CNA scope,
closest to the products themselves, and better positioned than downstream
third-party analysts to provide and review CWE mappings.

While there’s a lot of minor movement within the ranks this year, it’s still
largely a similar set of CWEs that we’ve seen over the years. There’s still a
long way to go in resolving these stubborn weaknesses, even for those that have
been known for decades.

HOW DOES THE GROWING PREVALENCE OF AI-ASSISTED CODING INFLUENCE THE WEAKNESSES
IDENTIFIED IN THE LIST?

Our analysis does not take into account which vulnerabilities were the result of
AI-assisted coding tools due primarily to the fact that it is very difficult to
discern in the data. That said, we are aware of studies indicating that
AI-assisted coding can produce weaknesses already covered by CWE, i.e.,
AI-assisted coding can make the same mistakes that humans do.

WHICH SOFTWARE WEAKNESSES FROM THIS YEAR’S LIST ARE THE MOST SURPRISING OR
CONCERNING TO YOU? WHY?

While we see a bit of movement in rankings throughout the list for sure, we also
continue to see the presence of the “usual suspects” (e.g., CWE-79, CWE-89,
CWE-125). It’s an ongoing concern that these and other stubborn weaknesses
remain high on the Top 25 consistently.

That said, the rise of CSRF near the top of the rankings is a little surprising.
This might reflect a greater emphasis on CSRF by vulnerability researchers or
maybe there are improvements in CSRF detection, or maybe more adversaries are
focusing on this kind of issue. We can’t be completely sure why it jumped the
way it did.

HOW CAN ORGANIZATIONS EFFECTIVELY LEVERAGE AI TOOLS TO IDENTIFY AND ADDRESS
VULNERABILITIES RATHER THAN INADVERTENTLY INTRODUCING THEM?

There are likely to be continued improvements in AI’s ability to help developers
identify weaknesses in their code. Different kinds of tools have different
capabilities, and it is generally good to be using a combination of tools versus
relying on any one in particular.

WHAT IMPROVEMENTS COULD BE MADE TO THE CWE TOP 25 TO MAKE IT EVEN MORE IMPACTFUL
FOR FUTURE CYBERSECURITY EFFORTS?

The CWE Top 25 is calculated by examining the available root cause mapping data
within publicly available CVE Record information. Thus, the more CNAs that adopt
CWE mapping as part of their vulnerability disclosure, and the more specific
they are in their mappings, the more specific and valuable the Top 25 will be.
We are seeing more and more CNAs take on root cause mapping with CWE, and we are
encouraged by that.

Overall, here are two key points for this list:

1. Language: Too often cybersecurity issues are approached from the attacker’s
perspective (e.g., Cross-Site Scripting). It is equally, if not more important
for product developers, to think more about cybersecurity from the “weakness”
perspective (e.g., CWE-79: Improper Neutralization of Input During Web Page
Generation). Root cause mapping with CWE encourages a valuable feedback loop
into an organization’s SDLC and architecture design planning, which in addition
to increasing product security can also save money: the more weaknesses avoided
in your product development, the less vulnerabilities to manage after
deployment.

2. Action: Root cause mapping is best done by those closest to the products
themselves: CNAs are the authoritative voice on vulnerabilities within their CNA
scope and better positioned than downstream third-party analysts to provide and
review CWE mappings. We are thrilled with the continued adoption of this
practice among CNAs as a routine part of their vulnerability disclosure (see the
CVE Program’s CNA Enrichment Recognition List at the bottom of their regularly
published metrics.)





More about
 * artificial intelligence
 * CNA
 * CVE
 * cybersecurity
 * MITRE
 * opinion
 * vulnerability management

Share


FEATURED NEWS

 * The shocking speed of AWS key exploitation
 * AWS offers incident response service
 * 5 reasons to double down on network security

How to leverage the 2024 MITRE ATT&CK Evaluation results



RESOURCES

 * Download: The Ultimate Guide to the CISSP
 * Whitepaper: Securing GenAI
 * Report: Voice of Practitioners 2024 – The True State of Secrets Security




DON'T MISS

 * The shocking speed of AWS key exploitation
 * 5 reasons to double down on network security
 * Inside the 2024 CWE Top 25: Trends, surprises, and persistent challenges
 * How AI is transforming human risk management
 * The effect of compliance requirements on vulnerability management strategies




Cybersecurity news
Daily Newsletter
Weekly Newsletter
(IN)SECURE - editor's choice selection of topics (twice per month)
Subscribe
I have read and agree to the terms & conditions
Leave this field empty if you're human:

© Copyright 1998-2024 by Help Net Security
Read our privacy policy | About us | Advertise
Follow us
×