- Joined
- May 15, 2016
- Messages
- 14,142
- Likes
- 2,643
- Points
- 1,730
The US government has published a list of 25 software weaknesses that have disastrous consequences.
The US government has rated the most common and significant software weaknesses that lead to dangerous vulnerabilities in systems and applications.
The CWE Top 25 list was prepared by specialists from the HSSEDI Institute ( Homeland Security Systems Engineering and Development Institute ), operating under the auspices of the Ministry of Homeland Security and the non-profit organization MITRE.
CWE ( Common Weakness Enumeration ) — is a standard that describes the types of software vulnerabilities, such as errors, bugs, disadvantages, and others. CWE differs from CVE ( Common Vulnerabilities and Exposures ), which assigns the number of each specific vulnerability found in the software.
The CWE Top 25 list is calculated by analyzing public vulnerability data in the National Vulnerability Database ( National Vulnerability Database, NVD ) for the last 2 calendar years. Vulnerability data that were exploited by attackers in real attacks are also taken into account, according to the CISA ( Known Exploited Vulnerabilities Catalog, KEV ).
Американские агентства по кибербезопасности CISA и NSA заявили в своём недавнем совместном руководстве , что контроллеры управления базовой платой (BMC) — это слабое звено в системах критической инфраструктуры, которое может быть использовано злоумышленниками для получения доступа к сетям и данным.
BMC makes it possible to remotely control and control computers and servers even with the system turned off. However, due to their high level of privileges and accessibility from the — network, these devices often attract the attention of intruders who can use them as an entry point for various cyber attacks.
Recall that the popular repository for NPM developers suffers from a security problem called « a mate in the manifestos » ( Manifest Confusion ), which undermines confidence in packages and enables intruders to hide malicious code in dependencies or to execute malicious scripts when installing packages.
__________________
The US government has rated the most common and significant software weaknesses that lead to dangerous vulnerabilities in systems and applications.
The CWE Top 25 list was prepared by specialists from the HSSEDI Institute ( Homeland Security Systems Engineering and Development Institute ), operating under the auspices of the Ministry of Homeland Security and the non-profit organization MITRE.
CWE ( Common Weakness Enumeration ) — is a standard that describes the types of software vulnerabilities, such as errors, bugs, disadvantages, and others. CWE differs from CVE ( Common Vulnerabilities and Exposures ), which assigns the number of each specific vulnerability found in the software.
The CWE Top 25 list is calculated by analyzing public vulnerability data in the National Vulnerability Database ( National Vulnerability Database, NVD ) for the last 2 calendar years. Vulnerability data that were exploited by attackers in real attacks are also taken into account, according to the CISA ( Known Exploited Vulnerabilities Catalog, KEV ).
- At the head of the rating – recording outside borders can lead to overflowing of the buffer and the execution of arbitrary code.
- In second place – cross-site scripting ( XSS ), which allows you to implement malicious code on web pages and steal user data.
- In third place – SQL injection, which makes it possible to execute arbitrary requests to databases and gain access to confidential information.
Американские агентства по кибербезопасности CISA и NSA заявили в своём недавнем совместном руководстве , что контроллеры управления базовой платой (BMC) — это слабое звено в системах критической инфраструктуры, которое может быть использовано злоумышленниками для получения доступа к сетям и данным.
BMC makes it possible to remotely control and control computers and servers even with the system turned off. However, due to their high level of privileges and accessibility from the — network, these devices often attract the attention of intruders who can use them as an entry point for various cyber attacks.
Recall that the popular repository for NPM developers suffers from a security problem called « a mate in the manifestos » ( Manifest Confusion ), which undermines confidence in packages and enables intruders to hide malicious code in dependencies or to execute malicious scripts when installing packages.
__________________