The Homeland Security Systems Engineering and Development Institute (HSSEDI), under the Department of Homeland Security, updated the top 25 Common Weakness Enumeration (CWE) list for the first time in eight years. The CWE list compiles the most critical errors that lead to flaws in software. The CWE list is vital to software developers to maintain awareness of potential weaknesses that could cause vulnerabilities. The 2019 CWE list demonstrates a significant shift from the 2011 CWE list from a subjective approach to a data-driven approach. The data-driven approach aims to determine key weaknesses through analyzing real-world vulnerabilities reported by researchers rather than conducting personal interviews and surveys of experts like the 2011 CWE approach.
In addition to the CWE list, HSSEDI functions as an independent and objective expertise on homeland security needs in areas like information technology, communications, and cybersecurity. The CWE team is sponsored by the DHS Cybersecurity and Infrastructure Security Agency, and they leveraged roughly 25,000 Common Vulnerabilities and Exposures entries reported within the past two years. The ranking system for the list is based on a formula that accounts for frequency and severity of the error. The list identifies the top weakness as “Improper Restriction of Operations within the Bounds of a Memory Buffer.”