https://cwe.mitre.org/top25/archive/2024/2024_cwe_top25.html
https://www.darkreading.com/application-security/cross-site-scripting-is-2024-most-dangerous-software-weakness
The annual CWE Top 25 list, identifying the most dangerous software vulnerabilities, saw a shakeup this year due to a new methodology that considers both severity and exploitability.
While classic threats like cross-site scripting (XSS) and SQL injection remain at the top, there’s been a surprising rise in cross-site request forgery (CSRF) vulnerabilities, jumping from 9th to 4th place. Experts aren’t sure if this reflects increased focus on CSRF detection, more attacks, or a combination of factors.
The new methodology prioritizes weaknesses that are both common and cause significant harm. This means even rarely discovered vulnerabilities with severe consequences can rank high.
With the software supply chain becoming more complex, experts emphasize the importance of proactive measures. Organizations should use the CWE Top 25 to guide their software security strategies and prioritize addressing these vulnerabilities during development and procurement.
Furthermore, adopting “root cause mapping” with the CWE system alongside CVE identification is encouraged throughout the software supply chain. This feedback loop can strengthen security throughout the development lifecycle, ultimately saving organizations money by avoiding post-deployment vulnerability management.
This year also saw the first-ever participation of the full CVE community in compiling the CWE Top 25, reflecting a more comprehensive and collaborative approach to identifying and addressing critical software weaknesses.