Memory-related bugs are still the most dangerous software vulnerabilities, MITRE concludes. The annual top 25 also shows that in the year 2023, we must increasingly watch out for bugs relating to authentication and authorization steps.
The top three remain unchanged in MITRE’s CWE Top 25 Most Dangerous Software Weaknesses. For example, out-of-bounds write, a form of memory corruption, is still No. 1. In such an instance, a product writes data beyond the intended buffer, which means multiple problems can arise. The most obvious is that a crash occurs because the software wants to write more sequences than an id array in C++ allows, for example. This can be exploited by crashing the program in question or initiating remote execution, which paves the way for all sorts of malicious actions.
Second on the list is cross-site scripting, which allows untrusted data on a Web application. This creates an unwanted version of the Web page where a malicious person can execute a script during page generation via JavaScript or HTML, for example, to attack the target. At No. 3 are SQL injections, a major problem for database-driven sites. It was recently revealed that Microsoft SQL attacks are on the rise.
Tip: ‘Microsoft SQL attacks are soaring’
Authorization and authentication miss or go awry
Despite the stability in the top three, MITRE sees a laundry list of vulnerabilities related to access management on the rise. For example, they’ve spotted increases in the top 25 for “Missing Authorization” (from spot 16 to 11), “Improper Authentication” (from 14 to 13), “Improper Privilege Management” (29 to 22) and “Incorrect Authorization” (28 to 24).
All of this, along with the other threats in this area, points to a general deficiency in access management. As many organizations as possible should strive for zero-trust principles, where users are granted only the necessary access. However, that often involves access to software, not necessarily access levels within the software. MITRE’s list shows that software vendors have much to gain in this respect. For example, the biggest climber (Improper Privilege Management) shows that the product in question does not handle a user’s privileges in the desired way, which can cause even the best intentions to fall apart as implementation goes awry.
Also read: Zero trust in complex environments: how to ensure secure access to apps?