In a release from The Cybersecurity and Infrastructure Security Agency (CISA) on July 21, 2021, it was announced that the Common Weakness Enumeration (CWE) Top 25 list has been updated from the previous 2020 version. The CWE Top 25 is a list that uses real-world data from the National Vulnerability Database (NVD) to identify current most dangerous software weaknesses that can lead to serious vulnerabilities in software.
According to MITRE, the main difference between the 2020 and 2021 list is “the continued transition to more specific weaknesses as opposed to abstract, class-level weaknesses.” They estimate that Base-level CWEs now comprise ~71% of all Top 25 entries. The biggest movements up the list are identified as:
- CWE-276 (Incorrect Default Permissions): from #41 to #19
- CWE-306 (Missing Authentication for Critical Function): from #24 to #11
- CWE-502 (Deserialization of Untrusted Data): from #21 to #13
- CWE-862 (Missing Authorization): from #25 to #18
- CWE-77 (Improper Neutralization of Special Elements used in a Command (‘Command Injection’)): from #31 to #25
According to CISA, users and administrators are encouraged to “review the Top 25 list and evaluate recommended mitigations to determine those most suitable to adopt.”
The CWE Top 25 list is an invaluable tool for enhancing cybersecurity within medical systems. Noting the trends in the most up-to-date version of this list allows for cybersecurity processes to adapt and review previously established systems for currently emerging cybersecurity threat trends.
Access the MITRE site at this link: https://cwe.mitre.org/top25/archive/2021/2021_cwe_top25.html
See other cybersecurity posts: https://softwarecpr.com/tag/cybersecurity/