Cross-Site Scripting: 2024’s Most Dangerous Software

Though a brand new methodology shook up the rankings of this yr’s most harmful software program bugs, the basic persistent threats nonetheless proved to be the largest threat to organizations, reinforcing the necessity for continued concentrate on — and funding in — safe code.

The annual Frequent Weak point Enumeration (CWE) listing is compiled by MITRE and the Cybersecurity and Infrastructure Company (CISA). This yr, for the primary time, their system included each severity and frequency of the failings.

“Weaknesses that had been not often found won’t obtain a excessive frequency rating, whatever the typical consequence related to any exploitation,” the listing’s methodology page defined. “Weaknesses which might be each widespread and triggered vital hurt will obtain the very best scores.”

The yr’s high weaknesses, in accordance with the 2024 CWE list, was cross-site scripting (second final yr), adopted by out-of-bounds write (2023’s winner), SQL injection (additionally third final yr), cross-site request forgery (CSRF) (ninth in 2023), and path traversal (eighth final yr).

“Whereas we see a little bit of motion in rankings all through the listing for certain, we additionally proceed to see the presence of the ‘typical suspects’ (e.g., CWE-79, CWE-89, CWE-125),” says Alec Summers, the mission chief for the CVE Program at MITRE and one of many listing’s authors. “It’s an ongoing concern that these and different cussed weaknesses stay excessive on the Prime 25 persistently.”

The one actual curveball on this yr’s rankings, he factors out, was CRSF rising from the ninth spot final yr to fourth in 2024. “This would possibly replicate a higher emphasis on CSRF by vulnerability researchers or perhaps there are enhancements in CSRF detection, or perhaps extra adversaries are specializing in this type of difficulty. We will’t be utterly certain why it jumped the best way it did,” Summers says.

Because the software development life cycle (SDLC) and software supply chain turn out to be extra labyrinthine yearly, and on a regular basis software program flaws proceed to proliferate, it is more and more essential for organizations get a deal with on their techniques earlier than on a regular basis weaknesses turn out to be one thing extra sinister, he recommends.
“Trying on the Prime 25, organizations are strongly inspired to assessment and leverage the listing as a guiding useful resource for shaping their software program safety methods,” Summers says. “By prioritizing them in each improvement and procurement processes, organizations can extra proactively handle threat.”

Shoring Up the Software program Provide Chain Begins at Dwelling

These efforts likewise ought to lengthen throughout the software program supple chain, Summers provides.

“It is changing into an increasing number of essential for organizations to undertake and demand their suppliers undertake root trigger mapping CVE with CWE,” he urges. “This encourages a beneficial suggestions loop into a corporation’s SDLC and structure design planning, which along with growing product safety also can get monetary savings: The extra weaknesses prevented in your product improvement, the much less vulnerabilities to handle after deployment.”

Along with incorporating a brand new methodology for figuring out which software program flaws posed probably the most threat, 2024 was the primary yr the total neighborhood of CVE Numbering Authorities (CNAs) contributed to the CWE Program’s effort. In whole 148 CNAs helped develop this yr’s listing, in accordance with the CWE Undertaking. At present there are 421 CNAs across 40 countries, in accordance with CVE.org.