Skip to main page content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it’s official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you’re on a federal government site.

Https

The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Access keys NCBI Homepage MyNCBI Homepage Main Content Main Navigation
. 2021;19(6):10.1109/msec.2021.3082757.
doi: 10.1109/msec.2021.3082757.

A Decade of Reoccurring Software Weaknesses

Assane Gueye  1 Carlos E C Galhardo  2 Irena Bojanova  3 Peter Mell  3
Affiliations

A Decade of Reoccurring Software Weaknesses

Assane Gueye et al. IEEE Secur Priv. 2021.

Abstract

The Common Weakness Enumeration (CWE) community publishes an aggregate metric to calculate the 'Most Dangerous Software Errors.' However, the used equation highly biases frequency over exploitability and impact. We provide a metric to mitigate this bias and discuss the most significant software weaknesses over the last ten years.

PubMed Disclaimer

Figures

Figure 1:
Figure 1:
CWEs Chosen (Red Triangles) and Not Chosen (Yellow Circles) for a MDSE Top 20 List Relative to Frequency.
Figure 2:
Figure 2:
CWEs Chosen (Red Triangles) and Not Chosen (Yellow Circles) for a MDSE Top 20 List Relative to Severity.
Figure 3:
Figure 3:
Normalized Distributions of Frequency (bottom blue line), Log of Frequency (middle yellow line), and Double Log of Frequency (top red line).
Figure 4:
Figure 4:
CWEs Chosen (Red Triangles) and Not Chosen (Yellow Circles) for a MSSW Top 20 List Relative to Frequency.
Figure 5:
Figure 5:
CWEs Chosen (Red Triangles) and Not Chosen (Yellow Circles) for a MSSW Top 20 List Relative to Severity.
Figure 6:
Figure 6:
MDSE Metric Risk Map. CWEs Chosen (Red Triangles) and Not Chosen (Yellow Circles) for a MDSE Top 20 List.
Figure 7:
Figure 7:
MSSW Metric Risk Map. CWEs Chosen (Red Triangles) and Not Chosen (Yellow Circles) for a MSSW Top 20 List.
Figure 8:
Figure 8:
The top 10 CWE during the last 10 years. ID is in red for injection CWEs, in green - for memory corruption CWEs, and in yellow - for all others. The most frequent CWEs are represented by darkest ovals. Top figures are generated using MSSW, bottom figures - using the biased MDSE.
Figure 9:
Figure 9:
The sum of the MSSW score of all CWEs in the BVC Top 10 list of each year.
See this image and copyright information in PMC

References

    1. NIST, “National vulnerability database,” 2020, accessed: 2020–01–10. [Online]. Available: https://nvd.nist.gov
    1. MITRE, “Common weakness enumeration,” 2019, accessed: 2019–12–10. [Online]. Available: https://cwe.mitre.org
    1. MITRE, “2019 cwe top 25 most dangerous software errors,” 2020, accessed: 2020–02–01. [Online]. Available: https://cwe.mitre.org/top25/archive/2019/2019_cwe_top25.html
    1. Galhardo CC, Mell P, Bojanova I, and Gueye A, “Measurements of the most significant software security weaknesses,” in Annual Computer Security Applications Conference (ACSAC), 2020, pp. 154–164
    1. Ross Ronald S., “Guide for conducting risk assessments,” 2012, accessed: 2020–01–10. [Online]. Available: https://www.nist.gov/publications/guide-conducting-risk-assessments

LinkOut - more resources