SQL Injection Errors No Longer the Top Software Security Issue

  /     /     /  
Publicated : 23/11/2024   Category : security


SQL Injection Errors No Longer the Top Software Security Issue


In newly updated Common Weakness Enumeration (CWE), SQL injection now ranks sixth.



SQL injection errors are no longer considered the most severe or prevalent software security issue.
Replacing it at the top of the Common Weakness Enumeration (CWE) list of most dangerous software errors is Improper Restriction of Operations within the Bounds of a Memory Buffer. Cross-site scripting (XSS) errors rank second on the list, followed by improper input validation, information exposure, and out-of-bounds read errors. SQL injection flaws are now ranked sixth on the list of most severe security vulnerabilities.
The Department of Homeland Securitys Systems Engineering and Development Institute, operated by The MITRE Corp., this week released an updated
top 25 CWE
listing of software errors. The update is the first in eight years and ranks security vulnerabilities based on prevalence and severity.
The CWE team looked at a dataset of some 25,000 Common Vulnerabilities and Exposures (CVE) entries over the past two years and focused on security weaknesses in software that are both common and have the potential to cause significant harm. Issues that have a low impact or are rarely excluded were filtered out.
In the past, the compilers of the CWE list used a more subjective approach based on personal interviews and surveys of industry experts.
We shifted to a data-driven approach because it enables a more consistent and repeatable analysis that reflects the issues we are seeing in the real world, Chris Levendis, CWE project leader, said in a
statement
Wednesday. We will continue to mature the methodology as we move forward.
Lists like the CWE and the Open Web Application Security Project (OWASP)s top software security vulnerabilities are designed to raise awareness of common security missteps among developers. The goal is to help developers improve software quality and to assist them and testers in verifying security issues in their code. But over the years, the entries in these lists have changed little, suggesting that developers are repeatedly making the same mistakes.
This highlights the unfortunate reality that despite many efforts, security is not being embedded effectively enough within the developer community, or in enterprise assurance frameworks, says Javvad Malik, security awareness advocate at KnowBe4. Its not that we are unaware of how to identify and remedy the issues or prevent them from occurring in the first place; there appears to be a culture where getting software shipped outweighs the security requirements, he notes.
According to Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, the new list and risk-ranking approaches make a lot of sense overall. However, some of the entries in the list are likely to cause some controversy, Kolochenko says.
Cross-site scripting errors, for example, while common are not particularly easy to exploit. Successful exploitation of an XSS, unless its a stored one, always requires at least a modicum of social engineering and interaction with a victim, he says.
One could potentially make similar comments about all other entries, arguing about the prevalence of the vulnerabilities in business-critical systems, ease of detection and exploitation, costs of prevention, and remediation time. We will unlikely have a unanimous opinion on all of them, Kolochenko says. This is why its good to have different classifications and ratings that, once consolidated, provide a comprehensive overview of the modern-day vulnerability landscape.
Related Content:
Most Organizations Have Incomplete Vulnerability Information
GitHub Becomes CVE Numbering Authority, Acquires Semmle
Predicting Vulnerability Weaponization
8 Trends in Vulnerability and Patch Management
Check out 
The Edge
, Dark Readings new section for features, threat data, and in-depth perspectives. Todays top story:
Home Safe: 20 Cybersecurity Tips for Your Remote Workers
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
SQL Injection Errors No Longer the Top Software Security Issue