Inside the 2024 CWE Top 25: Trends, surprises, and persistent challenges

In this Help Net Security interview, Alec Summers, Project Leader for the CVE Program at MITRE, shares his insights on the 2024 CWE top 25 most dangerous software weaknesses. He discusses the impact of the new methodology that involves the CNA community and highlights the persistent vulnerabilities that continue to make the list year after year.

Summers also touches on the role of AI tools in identifying vulnerabilities and the importance of root cause mapping for improving cybersecurity efforts.

What are some fundamental changes or trends observed in the 2024 CWE Top 25 compared to previous years?

This year we had a new methodology that democratized data analysis with the CNA community. We are really excited about that because CVE Numbering Authorities (CNAs) are the authoritative voice on vulnerabilities within their CNA scope, closest to the products themselves, and better positioned than downstream third-party analysts to provide and review CWE mappings.

While there’s a lot of minor movement within the ranks this year, it’s still largely a similar set of CWEs that we’ve seen over the years. There’s still a long way to go in resolving these stubborn weaknesses, even for those that have been known for decades.

How does the growing prevalence of AI-assisted coding influence the weaknesses identified in the list?

Our analysis does not take into account which vulnerabilities were the result of AI-assisted coding tools due primarily to the fact that it is very difficult to discern in the data. That said, we are aware of studies indicating that AI-assisted coding can produce weaknesses already covered by CWE, i.e., AI-assisted coding can make the same mistakes that humans do.

Which software weaknesses from this year’s list are the most surprising or concerning to you? Why?

While we see a bit of movement in rankings throughout the list for sure, we also continue to see the presence of the “usual suspects” (e.g., CWE-79, CWE-89, CWE-125). It’s an ongoing concern that these and other stubborn weaknesses remain high on the Top 25 consistently.

That said, the rise of CSRF near the top of the rankings is a little surprising. This might reflect a greater emphasis on CSRF by vulnerability researchers or maybe there are improvements in CSRF detection, or maybe more adversaries are focusing on this kind of issue. We can’t be completely sure why it jumped the way it did.

How can organizations effectively leverage AI tools to identify and address vulnerabilities rather than inadvertently introducing them?

There are likely to be continued improvements in AI’s ability to help developers identify weaknesses in their code. Different kinds of tools have different capabilities, and it is generally good to be using a combination of tools versus relying on any one in particular.

What improvements could be made to the CWE Top 25 to make it even more impactful for future cybersecurity efforts?

The CWE Top 25 is calculated by examining the available root cause mapping data within publicly available CVE Record information. Thus, the more CNAs that adopt CWE mapping as part of their vulnerability disclosure, and the more specific they are in their mappings, the more specific and valuable the Top 25 will be. We are seeing more and more CNAs take on root cause mapping with CWE, and we are encouraged by that.

Overall, here are two key points for this list:

1. Language: Too often cybersecurity issues are approached from the attacker’s perspective (e.g., Cross-Site Scripting). It is equally, if not more important for product developers, to think more about cybersecurity from the “weakness” perspective (e.g., CWE-79: Improper Neutralization of Input During Web Page Generation). Root cause mapping with CWE encourages a valuable feedback loop into an organization’s SDLC and architecture design planning, which in addition to increasing product security can also save money: the more weaknesses avoided in your product development, the less vulnerabilities to manage after deployment.

2. Action: Root cause mapping is best done by those closest to the products themselves: CNAs are the authoritative voice on vulnerabilities within their CNA scope and better positioned than downstream third-party analysts to provide and review CWE mappings. We are thrilled with the continued adoption of this practice among CNAs as a routine part of their vulnerability disclosure (see the CVE Program’s CNA Enrichment Recognition List at the bottom of their regularly published metrics.)