Dear CWE Research Community,
It is our pleasure to share with you a draft version of the 2019 CWE Top 25 Most Dangerous Software Errors. These rankings may change before the final release, as we re-evaluate certain CVE <-> CWE mappings.
Please refer to my previous post to this list on July 16 for an overview of the new methodology used to calculate this new release of the CWE Top 25. In short, we are pulling CWE-related data directly from NVD and using both frequency and an average CVSS score to determine a rank order. The main advantage of this approach is that the Top 25 will be an objective look at what we are actually seeing in the real-world.
For the 2019 Top 25, vulnerabilities for the calendar years 2017 and 2018 are used. The CWE Team has worked very hard over the last few months to correct several thousand mis-mapped CVEs, and we have worked with NIST to help improve the mapping of newly reported vulnerabilities with the updated CWE-1003 view.
We will continue our efforts to evaluate these mappings over the coming year to improve things further in advance of a 2020 Top 25. For this upcoming 2019 release, we will provide some explanations for a few inconsistencies such as why CWE-119 is in the list, along with some of its children. In short, this is a cue that we need to improve the mappings that are currently being done, when enough detail is available. The same is true for CWE-20 and CWE-200, both of which are very broad and more specific CWEs are desired.
We look forward to addressing any questions, as well as hearing any thoughts and comments you might have. We certainly appreciate all your interest, participation, and engagement with CWE, and we look forward to your continued support. Thank you!
Alec and the CWE Team
CWE Top 25
Alec J. Summers
Cyber Solutions Division
Cyber Security Engineer, Lead
MITRE - Solving Problems for a Safer World
smime.p7s (6K) Download Attachment
|Free forum by Nabble||Edit this page|