DHS New “Top 25 Software Vulns” List – Experts Insight

The Department of Homeland Security has just refreshed its list of the 25 Most Common Software Weaknesses: here’s the DHS intro link and the Mitre link with specific CWEs.


EXPERTS COMMENTS
Javvad Malik, Security Awareness Advocate,  KnowBe4
November 28, 2019
There is little change in the overall types of vulnerabilities which constantly make up the top issues.
From a software perspective, this list looks right. However, much like other similar lists, such as the OWASP top 10, there is little change in the overall types of vulnerabilities which constantly make up the top issues. This highlights the unfortunate reality that despite many efforts, security is not being embedded effectively enough within the developer community, or in enterprise assurance ....
[Read More >>]
Roger A. Grimes, Data-Driven Defense Evangelist,  KnowBe4
November 28, 2019
Things are pretty bad out there and have been for a long time.
“Seventy to ninety percent of all malicious compromises are due to social engineering and exploiting unpatched software is involved in 20% to 40%. You would think that all software developers would be getting better at developing code with less exploitable security vulnerabilities. Some are, but most are not. This shouldn’t be surprising because most programmers are not taught about computer s ....
[Read More >>]
Ray DeMeo, Co-Founder and COO,  Virsec
November 28, 2019
The biggest take-away is that memory buffer errors top the list with by far the highest risk score.
It’s encouraging to see the DHS actively promoting the list of top software vulnerabilities compiled by NIST and MITRE. The biggest take-away is that memory buffer errors top the list with by far the highest risk score. These types of in-memory vulnerabilities are poorly understood, bypass conventional security tools, and are increasingly exploited in major attacks like WannaCry, NotPetrya, Indu ....
[Read More >>]
Jason Kent, Hacker in Residence,  Cequence Security
November 28, 2019
The top items on this latest “list of CWEs to pay attention to” are about what a user provides to the system for consumption.
Often when these sorts of lists are refreshed we don’t see huge sweeping changes, usually there is a little bit of shifting around. After 8 years, from 2011 until now, I would expect a noticeable change and given they also changed the criteria they used for the list. I didn’t really see a huge change but what I see is characteristic of something we have been saying for a long time now. The ....
[Read More >>]

If you are an expert on this topic:

Submit Your Expert Comments


In this article