Evolving OWASP

Key Trends and Changes in the 2024 List

MITRE has released its annual CWE Top 25 Most Dangerous Software Weaknesses list, highlighting the most critical software flaws responsible for over 31,000 vulnerabilities reported between June 2023 and June 2024, find the updated list here

Key Trends and Changes

• Cross-Site Scripting (XSS): Now the most dangerous software weakness, climbing to first place from second in 2023.

• Out-of-Bounds Write: Slipped to second after holding the top spot last year.

• SQL Injection (SQLi): Retains its third-place position, remaining a persistent threat.

• Path Traversal & CSRF: Significant climbs, rising three and five spots respectively.

• Other Changes: Out-of-bounds read vulnerabilities moved up, while OS command injection and use-after-free vulnerabilities declined in ranking.

Notable newcomers to the Top 10 include:

• Missing Authorization: Rose to ninth place from eleventh.

• Unrestricted File Uploads: Steady at tenth.

• Code Injection: Made a dramatic leap, moving from 23rd in 2023 to 11th this year.

New Entrants to the List:

1. Exposure of Sensitive Information: Jumped to 14th from 30th.

2. Uncontrolled Resource Consumption: Rose to 24th from 37th.

Meanwhile, Incorrect Default Permissions and Race Conditions dropped off the Top 25.

Ongoing Threats and Exploitation Trends

Despite known mitigation techniques, many vulnerabilities persist and are actively exploited. Key insights include:

• High-profile Exploits:

  • OS Command Injection: Targets such as Cisco and Palo Alto devices were compromised by Chinese Velvet Ant hackers.

  • SQLi and Path Traversal: Continued to be highlighted in CISA alerts earlier this year.

  • Default Passwords: Remain a critical risk, exploited in campaigns like Volt Typhoon targeting SOHO routers.

• Rise of Zero-Day Exploits: FBI and Five Eyes agencies reported increased attacks on zero-day vulnerabilities in 2023, outpacing 2022.

MITRE's Process for the Top 25

MITRE analyzed 31,770 CVEs from 2023–2024, prioritizing weaknesses based on:

• Severity and frequency.

• Alignment with CISA’s Known Exploited Vulnerabilities (KEV) catalog.

The list provides actionable insights for industry and government stakeholders to address the root causes of software vulnerabilities.

Recommendations for Organizations

1. Incorporate CWE Insights: Use the Top 25 list as a benchmark to enhance software security practices.

2. Secure Development Practices: Focus on prioritizing these weaknesses during the design and procurement phases.

3. Adopt "Secure by Design": Follow CISA guidance to eliminate vulnerabilities at the source.

4. Monitor Vulnerability Alerts: Stay informed through CISA and other agencies for real-time threats.

   
   

By addressing these weaknesses early, organizations can build stronger defenses, safeguarding systems and sensitive data against adversaries.