Are there too many “top software vulnerabilities” lists? Or are they the wrong lists?

As we all know, sometimes there can be too much of a good thing. Which may be the case in the world of tracking and flagging software vulnerabilities.

Lists of vulnerabilities are a very good thing. Software pretty much runs the world, or doesn’t when it’s vulnerable to malicious hackers. If those who build and use software products don’t know about vulnerabilities in them, they won’t know what needs patching. And unpatched vulnerabilities can lead to a familiar parade of horribles: Theft of identity, bank accounts, credit cards, and intellectual property; compromised smart home systems; and malfunctions or breakdowns in everything from vehicles to critical infrastructure.

Which is why organizations like the Open Web Application Security Project (OWASP) have been publishing top 10 lists of vulnerabilities for more than two decades.

The goal is to identify the worst of the worst — vulnerabilities that can cause the most damage and/or that are the easiest for hackers to exploit. The list helps organizations set priorities — what to fix first.

Indeed, it’s almost impossible for the average organization to keep track of, let alone mitigate, every vulnerability discovered. Last year, the National Vulnerability Database (NVD), within the National Institute of Standards and Technology (NIST), recorded 28,831 vulnerabilities, up from 25,081 in 2022.

OWASP’s now-iconic top 10 lists obviously bring that down to a much more manageable level.

More and more players

But OWASP isn’t the only player in the space. The security awareness training firm SANS Institute has a top 25 list culled from the Common Vulnerability Scoring System (part of the NVD). In June, MITRE Corp. published its “Common Weakness Enumeration Top 25 Most Dangerous Software Weaknesses,” culled from the 31,770 records in its Common Vulnerabilities and Exposures dataset.

And earlier this month, the federal Cybersecurity and Infrastructure Security Agency (CISA), the FBI, the National Security Agency, and Five Eyes cybersecurity authorities (Australia, Canada, New Zealand, the United Kingdom, and the U.S.) joined the “top vulnerabilities list” club. The agencies released an advisory on the CISA website titled “2023 Top Routinely Exploited Vulnerabilities” with 15 on the list, most of them first exploited as so-called zero-days, which means they have become public, but there is no patch available for them yet.

So, is this a good, “the more the merrier” kind of thing? Perhaps. More warning lists are obviously more comprehensive. With lists like these, nobody can say they haven’t been warned. And as noted, software vulnerabilities can mess up your home, your business, your entire life.

Even dozens of lists of the worst of the worst — vulnerabilities that are the easiest to exploit or that can cause the most damage — still add up to only a few hundred rather than tens of thousands. As noted, they can help you set priorities.

Still, the danger of an increasing blitz of warnings from multiple different directions is that it could lead to warning fatigue, where the recipients tune them out like white noise. They could lead to the perception that all those potential risk aren’t much different from the risk of every other car on a superhighway. Unfortunately, it’s not like that — on the highway every other driver isn’t trying to crash into you or nudge you into a utility pole.

So it’s important that the messages get through. And Ray Kelly, senior manager of software engineering at the software security company Black Duck, said too many lists from too many sources can make things confusing.

“It can be very confusing for customers. It’s even confusing for us,” he said, noting that customers often ask what ratings methodology Black Duck is using, which include three versions of the Common Vulnerability Scoring System of the NVD, NIST, SANS, and multiple years of the OWASP list. “And it’s just luck if we’re using what the customer uses. It’s a mess out there,” he said.

But Jim Manico, founder and CEO of Manicode Security and a volunteer and former global board member of OWASP, said of the recently issued list from CISA, “It looks very solid. Why not?”

So maybe, at least so far, it’s a case of the more the merrier. As would be expected there is some overlap among the various lists, but there are plenty that aren’t duplicates. The only vulnerabilities the OWASP and CISA lists have in common are broken access control, SQL injection, and authentication bypass/failures.

The OWASP list also includes cryptographic failures, insecure design, security misconfiguration, vulnerable and outdated components, software and data integrity failures, security logging and monitoring failures, and server-side request forgery.

The CISA list also includes heap-based buffer overflow, privilege escalation, remote code execution, improper access control, information disclosure, and improper input validation.

And the reality is, the need is urgent for all these defects to be fixed. Ignoring them is the equivalent of failing to secure your physical assets, like leaving the door to your home, business, or car unlocked.

According to the CISA advisory, “Malicious cyber actors exploited more zero-day vulnerabilities to compromise enterprise networks in 2023 compared to 2022, allowing them to conduct operations against higher priority targets.”

The wrong lists?

But then, maybe the industry is making lists of the wrong things. That’s the view of Tanya Janca, founder and CEO of She Hacks Purple Consulting, head of education and community at Semgrep, and a former OWASP Ottawa chapter leader.

Janca argues that the lists ought to be about ways to prevent, defend against, and mitigate vulnerabilities, rather than of the vulnerabilities themselves.

“The lists we use the most should be top defenses and mitigations. Defenses that stop several vulnerabilities completely. Mitigations that reduce the damage of many forms of attack,” she said.

“We, as an industry, have only a very small message that we can deliver widely, and I think we are completely missing the mark when we emphasize memorization of a list of vulnerabilities instead of teaching everyone to write safer code.”

“This is what I teach,” she added. “Customers always insist that I add the top 10. I teach the defenses, and then when we do the vulnerability lists I say ‘Remember defenses 1, 3 and 6? That’s right, you already know how to prevent this.’ My defenses cover the entire list except for XXE [XML External Entity], which is an infrastructure setting, not software.”

To that, the CISA advisory seems to be suggesting “why not both?” In addition to the list of vulnerabilities, it comes with lengthy, separate lists of recommended defenses and mitigations for vendors and developers, designers, and end-user organizations “to help ensure their products are secure by design and default.”

For example, the recommendations for vendors and developers include

• Identify repeatedly exploited classes of vulnerabilities, and fix them
• Ensure business leaders are responsible for security
• Follow the NIST Secure Software Development Framework and implement secure by design practices into each stage of software development.
• Conduct due diligence in selecting software components like software libraries, modules, middleware, and frameworks, to ensure robust security in consumer software products
• Configure production-ready products to have the most secure settings by default and provide guidance on the risks of changing each setting
• Prioritize secure-by-default configurations such as eliminating default passwords, implementing single sign on (SSO) technology via modern open standards, and providing high-quality audit logs to customers with no additional configuration necessary and at no extra charge.
• Ensure published CVEs include the proper CWE field identifying the root cause of the vulnerability to enable industry-wide analysis of software security and design flaws.

The list for end users is the longest, but the most emphatic recommendations are to keep their software up-to-date and secure their software supply chain, which is an impossible manual task given the dizzying number of components and so-called “dependencies” in even the simplest applications.

Among the ways to improve software supply chain security are to use an automated software composition analysis tool to find known vulnerabilities and possible licensing conflicts in open source software components, and to demand a Software Bill of Materials (SBOM) from the vendors of every software product they buy. As the advisory puts it, an SBOM will “enhance vulnerability monitoring and help reduce time to respond to identified vulnerabilities.”

With lists like these, nobody can say they haven’t been warned from multiple credible sources. Nor do they have any excuses — they can’t say they haven’t been told what to do. Yet, far too many organizations aren’t doing it — sometimes for years.

As the CISA advisory puts it, “malicious cyber actors continue to have the most success exploiting vulnerabilities within two years after public disclosure of the vulnerability. The utility of these vulnerabilities declines over time as more systems are patched or replaced. Malicious cyber actors find less utility from zero-day exploits when international cybersecurity efforts reduce the lifespan of zero-day vulnerabilities.”

Bottom line: Don’t be among those who leave their doors unlocked for two years or more.