A look at the 2021 CWE Top 25 most dangerous software weaknesses

The 2021 Common Weakness Enumeration (CWE) Top 25 Most Dangerous Software Weaknesses is a demonstrative list of the most common issues experienced over the previous two calendar years.

These weaknesses are risky because they are many times easy to find, exploit, and can allow adversaries to take over a system, steal data, or prevent an application from working.

The 2021 CWE Top 25 can help developers, testers, and users — as well as project managers, security researchers, and educators — provide insight into the most severe and current security weaknesses.

“This list is invaluable for security professionals as it highlights the key areas that criminals can exploit. However, it is a worrying sad state of affairs that many of the top weaknesses, such as a SQL Injections, have been around for many years and yet have not been properly eliminated. It highlights that as an industry, cybersecurity needs to engage better with those who write code to help them address these weaknesses in their code,” Brian Honan, CEO of BH Consulting, told Help Net Security.

To create the 2021 list, the CWE Team leveraged Common Vulnerabilities and Exposures (CVE) data found within the NIST National Vulnerability Database (NVD), as well as the Common Vulnerability Scoring System (CVSS) scores associated with each CVE record. A formula was applied to the data to score each weakness based on prevalence and severity.

“2021 CWE Top 25 summarizes what our clients usually find in their proprietary and open source applications using our SAST solution DefenseCode ThunderScan. All of these vulnerability classes have been present for a significant amount of time, some for decades, and it’s clear that these issues are not going away anytime soon. Everybody, from early stage startups to Fortune 500 enterprises, needs to identify and mitigate these vulnerabilities as soon as possible,” said Leon Juranic, CTO at DefenseCode.