The U.S. Department of Homeland Security released a report detailing the 25 most dangerous software errors.
DHS’s Homeland Security Systems Engineering and Development Institute (HSSEDI) updated a list of the errors that can lead to serious vulnerabilities in software.
“This list is an important tool for improving cybersecurity resiliency,” said Scott Randels, director of DHS’s Science and Technology Directorate’s Federally-Funded Research and Development Centers, which manages HSSEDI. “I’m excited about our ongoing collaboration with HSSEDI and the vast mitigation potential of this product.”
HSSEDI analysts used a data-driven approach based on real-world vulnerabilities reported by security researchers to compile its list.
“We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world,” project leader Chris Levendis said. “We will continue to mature the methodology as we move forward.”
N the ranking system, weaknesses that are both common and can cause significant harm received a high score, while issues that are rarely exploited or have a low impact were filtered out.
The 2019 list identified a new top weakness — “Improper Restriction of Operations within the Bounds of a Memory Buffer.” The previous top weakness, “Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)” dropped down to the number six spot.
The full list can be found on the Common Weakness Enumeration website.
“Eliminating weaknesses prior to software entering the marketplace is an important step in reducing the attack surface which better protects everybody, anywhere in the world,” Levendis said.