The Cybersecurity & Infrastructure Security Agency (CISA) ranked "Out-of-bounds Write" first on the 2022 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses list.
Out-of-bounds Write, commonly referred to as CWE-787, previously ranked first on CISA's 2021 list.
Other takeaways from CISA's 2022 CWE Top 25 Most Dangerous Software Weaknesses list include:
- "Improper Neutralization of Input During Web Page Generation" (CWE-79) ranked second for the second year in a row.
- "Improper Neutralization of Special Elements used in an SQL Command" (CWE-89) ranked third, followed by "Improper Input Validation" (CWE-20) and "Out-of-bounds Read" (CWE-125).
- New entries on the list are "Concurrent Execution using Shared Resource with Improper Synchronization" (CWE-362), "Improper Control of Generation of Code" (CWE-94) and "Uncontrolled Resource Consumption" (CWE-400).
- Entries that fell out of the Top 25 are "Exposure of Sensitive Information to an Unauthorized Actor" (CWE-200), "Insufficiently Protected Credentials" (CWE-522) and "Incorrect Permission Assignment for Critical Resource" (CWE-732).
How CISA Complies its List
The 2022 CWE Top 25 Most Dangerous Software Weaknesses list uses data from the National Vulnerability Database (NVD) and weakness data for Common Vulnerabilities and Exposure (CVE) records that are part of CISA's Known Exploited Vulnerabilities Catalog. This information is used to compile frequent and critical errors that can lead to software vulnerabilities that cybercriminals can exploit to take control of affected systems, obtain sensitive information or launch denial-of-service attacks, CISA noted.
How to Guard Against the Most Dangerous Software Weaknesses
CISA recommends that organizations review the 2022 CWE Top 25 Most Dangerous Software Weaknesses list. That way, organizations can evaluate these weaknesses and determine the best ways to guard against them.
Also, MSSPs can stay up to date on the most dangerous software weaknesses. In doing so, they can provide organizations with managed security services so they can keep pace with advanced cyber threats.