Developers and those who work with software should be especially weary of errors in the way software performs on a memory buffer, and how it neutralizes and validates input.

While there many software weaknesses can be indicative of a problem and lead to vulnerabilities further down the road, these in particular are cause for concern, according to a new list released by MITRE this week.

MITRE, the not-for-profit organization that manages the Common Vulnerabilities and Exposures (CVE) list, a dictionary of disclosed cybersecurity vulnerabilities and exposures, published the list, the Top 25 Most Dangerous Software Errors, on Tuesday. The list aggregates the most pressing weaknesses as classified by its Common Weakness Enumeration (CWE™).

Ordinarily, there are a number of different ways to view MITRE’s CWE - users can look at weaknesses commonly introduced during design, during implementation, and in software written in different languages, C++, Java, and PHP for example. This list, updated for the first time since 2011, are labeled dangerous because if left unaddressed, they could let an attacker execute code on the software, steal data, or just prevent the software from working.

The different between this list and the one published nearly a decade ago is that this iteration is actually data-driven, based on CVE advisory data from National Institute of Standards and Technology (NIST)'s National Vulnerability Database (NVD) and the Common Vulnerability Scoring System (CVSS). 2011's list was based on surveys and interviews carried out by MITRE.

Three misconfigurations - Improper Restriction of Operations within the Bounds of a Memory Buffer, Improper Neutralization of Input During Web Page Generation, or Cross-site Scripting (XSS) and Improper Input Validation - take the first three spots.

For the most dangerous weakness, in some languages the direct addressing of memory locations don't automatically ensure locations are valid for the memory buffer being referenced. This can result in read or write operations to be performed on memory locations linked to data structures or internal program data. An attacker could also execute malicious code, change the control flow, read sensitive data, or crash the system.

The rest of the top five is rounded out by common weaknesses including information disclosure and out-of-bounds read.

The full list of MITRE’s most dangerous weaknesses for 2019 are as follows:

The list assesses each weakness by what MITRE refers to as its frequency, essentially the number of times a weakness is mapped to a CVE within the National Vulnerability Database. A chart on MITRE’s website includes an average CVSS score - something which translates to the severity of the vulnerability - for each weakness.

Developers may find it interesting to review the weaknesses that fell just outside of its top 25, including weaknesses like server-side request forgery (SSRF), missing authentication for critical function, and open redirects.