The Common Weakness Enumeration (CWE), a community-developed compilation
of the most critical errors leading to vulnerabilities in software, has lowered
SQL Injection from its #1 spot as the most dangerous attack technique.
SQL Injection, one of the oldest and most prevalent hacking
techniques, enables attackers to spoof identity, change or destroy data, leak
data, void transactions or change balances, and even gain administrator
privileges on the database server.
It’s perhaps no surprise, then, that communities like the Open
Web Application Security Project (OWSAP) and the Common Weakness Enumeration
(CWE) have long listed SQL Injection as the top attack vector in hacks exploiting
software vulnerabilities. However, this is no longer the case.
According to a recent update by the CWE, a new data-driven
technique is being used to rank the severity of software flaws, leading to a
shift in ranking for some of the most common and most dangerous
“Back in 2011, analysts used a subjective approach,
conducting personal interviews and surveys of industry experts to compile the
list,” according to a report by the
U.S. Department of Homeland Security, whose Science & Technology
Directorate recently updated the top 25 CWE list for the first time in eight
“And while that was an effective way to produce the top 25
list then, cybersecurity demands constant improvement. This time, analysts used
a data-driven approach based on real-world vulnerabilities reported by security
researchers,” the DHS says.
According to CWE project leader Chris Levendis, the group
shifted to a data-driven methodology “because it enables a more consistent and
repeatable analysis that reflects the issues we are seeing in the real world.”
“We will continue to mature the methodology as we move
forward,” Levendis said.
The 2019 CWE Top 25, which uses data gathered between 2017
and 2018, consists of approximately 25,000 Common Vulnerabilities and Exposures
According to the report, the new ranking is based on a
formula that accounts for prevalence and severity. The list prioritizes weaknesses
that are both common and can cause significant harm. Also, the formula leaves
out issues that are rarely exploited or have little impact.
As a result, the 2019 list identifies “Improper Restriction
of Operations within the Bounds of a Memory Buffer” as the new top weakness,
followed by Improper Neutralization of Input During Web Page Generation (Cross-site
Scripting). In third place comes Improper Input Validation, followed by Information
Exposure and Out-of-bounds Read.
Improper Neutralization of Special Elements used in an SQL Command (SQL Injection) moves down five positions to the sixth spot. The updated list can be found over at cwe.mitre.org.