Software vulnerability list updated for first time in 8 years

For the first time in almost a decade, the US Homeland Security’s most dangerous software vulnerabilities list has been updated.

It has been 8 years since updates have been made to the ranking of the top 25 software vulnerabilities. This has been done to make the security list more relevant and reflect on the modern age.

A guide for developers

The new inventory is based on objective criteria in comparison to the old catalog. It now focuses on reports from security researchers as well as severity, exploitation, and prevalence in the real world.

The point of the list is to act as guidance for developers so they can build more secure software before its release to the market.

With a score of 75.56, ‘Improper Restriction of Operations within the Bounds of a Memory Buffer’ came number one on the list. ‘Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)’ was ranked second with an overall score of 45.69 and with a score of 43.61, ‘Improper Input Validation’ was ranked third.

“Great news”

Ilia Kolochenko, founder and CEO of web security company ImmuniWeb, has commented: “This update has been anticipated for a while already and is great news. The newly presented classification and risk-ranking approaches make a lot of sense, however, several entries will probably cause some reasonable controversy amid security professionals.”

“For example, XSS is indeed one of the most prevailing and easily-detectable vulnerabilities affecting modern web applications. Nonetheless, it’s practical exploitation to get control over web applications and other systems is fairly restrained. Successful exploitation of an XSS, unless it’s a stored one, always requires at least a modicum of social engineering and interaction with a victim. Furthermore, if used to compromise remote systems and not just to inject malicious scripting into a victim’s browser, a chained attack composed of several intertwined but disjointed security flaws is requisite.” He explains.

“Some further fine-tuning of the list may be beneficial to reflect modern-day exploitation techniques and vectors by their prevalence and substantial risk.” The CEO concluded.