From: Shark8 <onewingedshark@gmail.com>
Subject: Re: MITRE's top-25 list of 2020 software-bug categories
Date: Tue, 25 Aug 2020 12:09:47 -0700 (PDT) [thread overview]
Message-ID: <d552707a-522b-4ac2-824f-1ac1b3f7afe9n@googlegroups.com> (raw)
In-Reply-To: <268eed24-fa23-4cf0-82f1-6f344885858dn@googlegroups.com>
On Saturday, August 22, 2020 at 10:31:16 AM UTC-6, Andreas ZEURCHER wrote:
> https://www.bleepingcomputer.com/news/security/mitre-shares-this-years-top-25-most-dangerous-software-bugs
>
> Proper intended usage of Ada-specific features mitigates 9 of them, including a few that hit interpreted scripting languages hard. Others of the 25 are design-level almost independent of programming language. Still others of the 25 are cavalier/insufficient WWW-oriented string-processing or SQL string-processing or director-filename string-processing that could be conceivably done just as badly in Ada.
>
> Conversely, if HOLWG were still pursuing their language-design goals today, certainly this MITRE* report would shape the design of an evolving GreenGreenerGreenest language today, instead of Ada solving primarily yesteryear's programming/software-engineering challenges well.
>
> * defense contractor
The interesting portion, in tabular form.
Rank ID Name Score
1 CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') 46.82
2 CWE-787 Out-of-bounds Write 46.17
3 CWE-20 Improper Input Validation 33.47
4 CWE-125 Out-of-bounds Read 26.50
5 CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer 23.73
6 CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') 20.69
7 CWE-200 Exposure of Sensitive Information to an Unauthorized Actor 19.16
8 CWE-416 Use After Free 18.87
9 CWE-352 Cross-Site Request Forgery (CSRF) 17.29
10 CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') 16.44
11 CWE-190 Integer Overflow or Wraparound 15.81
12 CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') 13.67
13 CWE-476 NULL Pointer Dereference 8.35
14 CWE-287 Improper Authentication 8.17
15 CWE-434 Unrestricted Upload of File with Dangerous Type 7.38
16 CWE-732 Incorrect Permission Assignment for Critical Resource 6.95
17 CWE-94 Improper Control of Generation of Code ('Code Injection') 6.53
18 CWE-522 Insufficiently Protected Credentials 5.49
19 CWE-611 Improper Restriction of XML External Entity Reference 5.33
20 CWE-798 Use of Hard-coded Credentials 5.19
21 CWE-502 Deserialization of Untrusted Data 4.93
22 CWE-269 Improper Privilege Management 4.87
23 CWE-400 Uncontrolled Resource Consumption 4.14
24 CWE-306 Missing Authentication for Critical Function 3.85
25 CWE-862 Missing Authorization 3.77
prev parent reply other threads:[~2020-08-25 19:09 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-22 16:31 MITRE's top-25 list of 2020 software-bug categories Andreas ZEURCHER
2020-08-22 21:30 ` Jeffrey R. Carter
2020-08-23 1:36 ` Luke A. Guest
2020-08-23 1:38 ` Luke A. Guest
2020-08-23 6:25 ` darkestkhan
2020-08-25 19:43 ` Andreas ZEURCHER
2020-08-23 14:43 ` Florian Weimer
2020-08-24 16:55 ` nobody in particular
2020-08-25 19:09 ` Shark8 [this message]
replies disabled
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox