If your development team is reviewing your product for security vulnerabilities, start where everyone else’s products are vulnerable. In work funded by the Department of Homeland Security (DHS) and the Cybersecurity and Infrastructure Security Agency (CISA), MITRE Corporation maintains the Common Weakness Enumeration (CWE), a formal list of software weakness types. It was created to:

  • Serve as a common language for describing software security weaknesses in architecture, design, or code.
  • Serve as a standard measuring stick for software security tools targeting these weaknesses.
  • Provide a common baseline standard for weakness identification, mitigation, and prevention efforts.

Each year, MITRE publishes the Top 25 Most Dangerous Software Errors, a compilation of the most frequent and critical errors that can lead to serious vulnerabilities in software. An attacker can often exploit these vulnerabilities to take control of an affected system, obtain sensitive information, or cause a denial-of-service condition. This year’s list is now available:

2019 CWE Top 25 Most Dangerous Software Errors