{"id":21075,"date":"2024-06-25T11:25:33","date_gmt":"2024-06-25T18:25:33","guid":{"rendered":"https:\/\/webdev.securin.xyz\/?p=21075"},"modified":"2024-06-25T11:25:33","modified_gmt":"2024-06-25T18:25:33","slug":"secure-by-design-whats-next","status":"publish","type":"post","link":"https:\/\/webdev.securin.xyz\/articles\/secure-by-design-whats-next\/","title":{"rendered":"Secure by Design: What\u2019s Next?"},"content":{"rendered":"\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
\n\t\t\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

Being among the first to sign CISA\u2019s Secure by Design pledge<\/a> at RSA was a highlight for us at Securin. As tech leaders, we know there\u2019s never been a better – or more crucial – time to incentivize good security practices and transparency across industries.<\/p>

It also underlines the importance of reframing how we talk about and address the fundamental challenge of vulnerability and weakness in widely used software. As our own research at Securin<\/a> indicates, many of the vulnerabilities exploited today are ones that could have been prevented. Let\u2019s take a look:<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t

\n\t\t\t\t
\n\t\t\t\t\t
\n\t\t\t
<\/div>\n\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t

Challenges of Vulnerabilities and Weaknesses<\/h2>\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t
\n\t\t\t\t
\n\t\t\t\t\t\t\t

1.<\/span><\/strong> If you focus priorities and efforts entirely on the MITRE Top 25, there\u2019s a good chance you\u2019ll miss a highly weaponized, less known weakness that\u2019s relevant to your specific systems. Think about it: our industry is calling out for risk-based prioritization, but we rely on a Top 25 based on CVSS scores. Nine out of the Top 25 weaknesses across ransomware-exploited CVEs are absent from the MITRE Top 25 list<\/span><\/strong>. We see the same concerning trends across CISA KEVs, where eight of the Top 25 weaknesses are outside the MITRE Top 25<\/span><\/strong>.
These variations on weaknesses that foster exploitation versus the MITRE Top 25 can impede progress in the encouraging Shift Left movement. On the bright side, MITRE itself acknowledges the gap; since 2023 it has released its Top 10 CISA KEV Weaknesses<\/a>.<\/p>

2. <\/span><\/strong>There\u2019s also the unfortunate reality that while some vulnerabilities have been around for a long time, they\u2019re not gathering any dust: as we see with cross-site scripting (XSS), developers are coding-in the same errors to web applications over and over again. Not out of malice or slackness, but because modern web applications are often complex, with numerous interconnected components and dependencies.<\/p>

3.<\/span> <\/strong>But if we want secure coding practices, and a focus on eliminating repeatedly exploited software bugs and weaknesses, we have to equip developers with the knowledge and insights they need. How can they know which class of weakness exhibit these dangerous patterns? The answer is based on Known Exploitation insights, in our next bullet point\u2026<\/p>

4.<\/span><\/strong> Top 5 Weakness Categories developers should focus on eliminating:<\/p>