Man
Professional
- Messages
- 3,079
- Reaction score
- 615
- Points
- 113
A new study reveals alarming statistics of the most common vulnerabilities.
According to a new analysis by Dogesec, over the past years, developers have continued to make security mistakes, including storing passwords directly in the source code, which compromises the security of the software. From October 2023 to September 2024, 37,439 vulnerabilities were identified, of which 35,346 received special CWE codes, covering 520 unique types of errors.
The most common vulnerability was CWE-79 – XSS (Cross-Site Scripting), which accounted for 6006 cases – about 17% of all reported cases.
SQL injection vulnerabilities (CWE-89) are fundamental to web security and are regularly mentioned in secure code development guidelines, including OWASP.
Other commonly encountered weaknesses include CWE-352 (Cross-Site Request Forgery, CSRF), CWE-787 (Out-of-bounds Write), CWE-862 (Missing Authorization), and CWE-22 (Path Traversal).
Among the basic mistakes:
These vulnerabilities mainly affect both large and small manufacturers, including Cisco and IBM, as well as equipment whose firmware is more difficult to update to fix such problems.
The data shows that addressing XSS and SQL injection vulnerabilities is still an important task. Developers should pay attention to preventing sensitive data from being stored in code, and firmware vendors should pay attention to implementing stronger security mechanisms in their products.
Source
According to a new analysis by Dogesec, over the past years, developers have continued to make security mistakes, including storing passwords directly in the source code, which compromises the security of the software. From October 2023 to September 2024, 37,439 vulnerabilities were identified, of which 35,346 received special CWE codes, covering 520 unique types of errors.
The most common vulnerability was CWE-79 – XSS (Cross-Site Scripting), which accounted for 6006 cases – about 17% of all reported cases.
SQL injection vulnerabilities (CWE-89) are fundamental to web security and are regularly mentioned in secure code development guidelines, including OWASP.
Other commonly encountered weaknesses include CWE-352 (Cross-Site Request Forgery, CSRF), CWE-787 (Out-of-bounds Write), CWE-862 (Missing Authorization), and CWE-22 (Path Traversal).
Among the basic mistakes:
- CWE-532 (inclusion of sensitive data in logs - 247 cases),
- CWE-798 (use of code-embedded passwords - 213 cases)
- CWE-306 (no authentication for a critical function - 208 cases).
These vulnerabilities mainly affect both large and small manufacturers, including Cisco and IBM, as well as equipment whose firmware is more difficult to update to fix such problems.
The data shows that addressing XSS and SQL injection vulnerabilities is still an important task. Developers should pay attention to preventing sensitive data from being stored in code, and firmware vendors should pay attention to implementing stronger security mechanisms in their products.
Source
