Stubborn Weaknesses in the CWE Top 25
Over the span of the last five publications of the CWE Top 25 Most Dangerous Software Weaknesses (2019-2023), there are 15 weaknesses that have been present in every list. This suggests that despite ongoing visibility to the community, these 15 weaknesses represent the most challenging weaknesses that exist today. A more focused training effort is needed to enhance developer practices to ensure that these weaknesses do not continue to introduce unnecessary risk to customer data and services.
The table below notes these especially stubborn weaknesses. Also, table includes references to proposed mitigations for each CWE that can be incorporated into software development programs and training material to reduce occurrences/impact of that CWE.
Table 1. Stubborn Weaknesses in the CWE Top 25
Each of the stubborn weaknesses identified above can be viewed as falling within one of three informal groupings:
It is notable that, although memory management weaknesses continue to be a source of many reported vulnerabilities, it can also be observed that there is some traction in the community in reducing these types of weakness. During the 5-year evaluation period, CWE-119 fell from rank 1 (in year 1) to rank 17 (in year 5) and CWE-190 fell from rank 5 (in year 1) to rank 7 (in year 5). These are small but encouraging developments.
These improvements could be attributed to increased focus on memory weaknesses and mitigations as demonstrated by recent community interest in memory safety issues, as exhibited by:
While all of these stubborn weaknesses continue to be an issue, they can be prevented and mitigated in numerous ways across the lifecycle. The community should continue to push toward moving security left to the architecture and design phases of the lifecycle with proper design and selection of tools for the task at hand.
NOTE: This page was revised on September 19, 2023, to update text and links to the most current information.