SQL injection errors are no longer considered the most severe or prevalent software security issue.
Replacing it at the top of the Common Weakness Enumeration (CWE) list of most dangerous software errors is "Improper Restriction of Operations within the Bounds of a Memory Buffer." Cross-site scripting (XSS) errors rank second on the list, followed by improper input validation, information exposure, and out-of-bounds read errors. SQL injection flaws are now ranked sixth on the list of most severe security vulnerabilities.
The Department of Homeland Security's Systems Engineering and Development Institute, operated by The MITRE Corp., this week released an updated top 25 CWE listing of software errors. The update is the first in eight years and ranks security vulnerabilities based on prevalence and severity.
The CWE team looked at a dataset of some 25,000 Common Vulnerabilities and Exposures (CVE) entries over the past two years and focused on security weaknesses in software that are both common and have the potential to cause significant harm. Issues that have a low impact or are rarely excluded were filtered out.
In the past, the compilers of the CWE list used a more subjective approach based on personal interviews and surveys of industry experts.
"We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world," Chris Levendis, CWE project leader, said in a statement Wednesday. "We will continue to mature the methodology as we move forward."
Lists like the ..
Support the originator by clicking the read the rest link below.
