MITRE Updates List of Top 25 Most Dangerous Software Bugs (bleepingcomputer.com) 16
An anonymous reader quotes a report from BleepingComputer: MITRE has shared this year's top 25 list of most common and dangerous weaknesses plaguing software throughout the previous two years. MITRE developed the top 25 list using Common Vulnerabilities and Exposures (CVE) data from 2019 and 2020 obtained from the National Vulnerability Database (NVD) (roughly 27,000 CVEs). "A scoring formula is used to calculate a ranked order of weaknesses that combines the frequency that a CWE is the root cause of a vulnerability with the projected severity of its exploitation," MITRE explained. "This approach provides an objective look at what vulnerabilities are currently seen in the real world, creates a foundation of analytical rigor built on publicly reported vulnerabilities instead of subjective surveys and opinions, and makes the process easily repeatable."
MITRE's 2021 top 25 bugs are dangerous because they are usually easy to discover, have a high impact, and are prevalent in software released during the last two years. They can also be abused by attackers to potentially take complete control of vulnerable systems, steal targets' sensitive data, or trigger a denial-of-service (DoS) following successful exploitation. The list [here] provides insight to the community at large into the most critical and current software security weaknesses.
MITRE's 2021 top 25 bugs are dangerous because they are usually easy to discover, have a high impact, and are prevalent in software released during the last two years. They can also be abused by attackers to potentially take complete control of vulnerable systems, steal targets' sensitive data, or trigger a denial-of-service (DoS) following successful exploitation. The list [here] provides insight to the community at large into the most critical and current software security weaknesses.
Re:Today's Internet is a joke. (Score:5, Funny)
I am disappointed. I was looking forward to an interview like this:
"Governator, what is best in life?"
"To crush your enemies' stack, see their remote shell before you, and to hear the lamentation of their overflowed buffers!"
Security in obscurity. (Score:2)
CISA recommends transitioning away from end-of-life software as soon as possible as the easiest and quickest way to mitigate old unpatched security bugs.
Run one of these [makeuseof.com] and few will even know what to do let alone break in.
Re: (Score:3)
If you think the OS is a line of defense then you are already in trouble.
Re: (Score:2)
Interestingly, this is why IBM mainframes went unattacked until recently.
Most dangerous obviousness (Score:2)
Was this list of bugs really needed? They're so generic, every programmer and IT professional is aware of them.
It's very much like the following list of most dangerous things to do on the road:
- Let go of the steering wheel
- Close your eyes and hope for the best
- Turn off the headlights on a country road in the moonless night
- Drink a whole bottle of gin on the freeway
- Flip off another driver at the red light in Compton
That list can be done without.
Re:Most dangerous obviousness (Score:5, Insightful)
Software development is like the September that never ended: You keep getting new people every year who don't have the defensive part of programming in their mindset.
Saw a bunch of those today (Score:5, Interesting)
I went through some code today and found about 40 security issues. This list covers them.
This list actually isn't the worst things you can do.
The score is how *commonly* these errors are made, multiplied by how severe they are.
Re:Most dangerous obviousness (Score:5, Informative)
You obviously have a higher standard of quality than most developers I've interviewed. In my interviews, I always ask the candidate to describe how to perform a SQL Injection attack and how to protect against it. Most, including "senior" developers, have no idea. And most of those who have an idea what it is, don't know precisely how to thwart it (parameterized queries) or why it is an effective technique.
Re: (Score:2)
Does the employer offer a senior salary though? Are you only interviewing those who say they're senior but are junior, hoping to climb the ladder?
Re: (Score:2)
My employer pays competitive salaries. We do our research to be sure we are in line with going rates. I've found, though, that salary expectation has little to do with the candidate's skill or knowledge level.
SQL Injection only makes #6? (Score:2)
Surprising, you should see the SQL-related code that people post to Stack Overflow... every... single... day...
So many people are constructing their own SQL queries in C#, Java, Node, Python, other-favorite-language, including tainted user data instead of using parameterized queries.
The tip 5 are arbitrary code execution (Score:3)
The top 5 provide arbitrary code execution in the OS (four of them) or in the browser (one of them).
Arbitrary code execution on the platform is worse than SQL injection. Which certainly doesn't mean that SQL injection isn't bad!
Of course, if you're running MS SQL and your devs don't grok the fundamental nature of SQL as a declarative language, they may be using xp_cmdshell. That turns SQL injection into code execution on the host. Same with "into outfile" on a host running PHP.
Escape characters considered harmful (Score:2)
I find it strange that not now finally a couple decades too late unsafe memory constructs by default are starting to be seen as a giant mistake in retrospect, that escape characters escape this realization of everyone having been doing it wrong.
Plain text APIs and strings delineated by escape character are doing it wrong. Strings should have explicit length and any API should receive them as such (and once you do that, using escape characters even for harmless markup stops making sense). SQL is doing it wro