No surprises in the top 25 most dangerous software errors

An in-depth study of reported bugs has produced a list of the top 25 bug categories in software today. Those topping the list are decades old, showing us that we've a long way to go in the journey to creating quality software.

The Common Weakness Enumeration (CWE) project analysed reams of bug data from the Common Vulnerabilities and Exposures (CVE) database as part of its research. The CVE gets thousands of new bugs each year, and the CWE classifies them to help guide software analysis and testing.

In 2005, it began collecting these bugs into categories, building on internal work by MITRE (the company which began the CVE list). The idea was to publish a standard list of common software security weaknesses, giving developers and tools vendors a framework to work from when assessing software for security bugs.

This is the first CWE top 25 since 2011, and we were hoping for some analysis of the key movers, Top-Of-The-Pops style. Sadly, that's not really possible because CWE changed its approach this time around. It remapped the CVEs to a broader list of categories. It also took a more data-focused approach by mining the National Data Vulnerability (NVD) database. The 2011 study used surveys and personal interviews with developers, security analysts, and vendors.