The US government has compiled a rating of the most common and significant weak software places that lead to dangerous vulnerabilities in systems and applications.
List of CWE TOP 25 was trained by the HSSEDI Institute (Homeland Security Systems EngineRing Andes Velopment Institute) working under the auspices of the Ministry of Internal Security and the Non-Profit Organization Mitre.
CWE (Common Weakness Enumeration) is a standard that describes types of vulnerabilities, such as errors, bugs, disadvantages, and others. CWE is different from CVE (Common Vulnerabilities and Exposures), which assigns the number of each specific vulnerability detected in the software.
The CWE TOP 25 list is calculated by analyzing public data on the national vulnerabilities database (national vulnerabs, nvd) over the past 2 calendar years. Also taken into account data on the vulnerabilities that were operated by attackers in real attacks, according to the catalog of the well-known operated vulnerabilities of CISA (Known exploited view vu LNeraBilits, Kev).
| Ranking | Vulnerability |
|---|---|
| 1 | An entry outside the boundaries that can lead to overflow of the buffer and execution of the arbitrary code. |
| 2 | Intersyight scripting (XSS), which allows you to introduce a malicious code for the web page and to kidnap user data. |
| 3 | SQL-injection, which makes it possible to perform arbitrary requests to databases and gain access to confidential information. |
The Cybersecurity Agency and Cybersecurity and Infrastructure Security Agency (CISA) recommends developers and product security teams to familiarize themselves with the CWE TOP