AppSec2026-04-107 min read

Tuning Your Scanner to the 2024 CWE Top 25 Without Drowning in False Positives

MITRE published the 2024 CWE Top 25. Several rankings shifted meaningfully. Here's how to configure your scanner for maximum coverage of the current threat landscape.

How to

Configure your scanner for the CWE Top 25 2024

  1. Enable Tier 1 rules with high confidence. Turn on rules for CWE-79 (XSS), CWE-89 (SQL Injection), CWE-78 (OS Command Injection), CWE-22 (Path Traversal), CWE-352 (CSRF), CWE-918 (SSRF), and CWE-20 (Input Validation). These have low false-positive rates with modern AST-based detection.
  2. Enable Tier 2 context-aware rules. Turn on CWE-601 (Open Redirect), CWE-611 (XXE), and CWE-1021 (UI Layering). These need framework-specific tuning to suppress noise. Start in observe mode, then enforce.
  3. Configure language-specific add-ons. For C/C++ codebases add CWE-125 and CWE-787 (out-of-bounds read/write) plus CWE-416 (use-after-free). For Go, Rust, and Java add CWE-190 (Integer Overflow) and CWE-476 (NULL Pointer Dereference). Interpreted-language stacks rarely need memory-safety CWEs.
  4. Enable AST taint tracking for injection CWEs. CWE-89 and CWE-78 need data-flow tracing from source to sink for credible detection. Pure regex rules produce high false-positive rates on parameterized queries. Confirm your scanner uses AST + taint, not regex alone.
  5. Map findings to OWASP and compliance presets. Annotate every finding with its OWASP Top 10:2025 category and any active compliance preset (HIPAA, PCI-DSS, CMMC, FedRAMP). This compresses triage time and produces multi-framework evidence from a single scan.

CWE Top 25 2024: The Rankings and What Moved

MITRE's 2024 CWE Top 25 (released November 2024) is based on NVD CVE data from 2023-2024. The methodology weights both frequency and severity, giving a more accurate picture of real-world risk than frequency alone.

The 2024 Top 10

RankCWEWeaknessScore
1CWE-79Cross-site Scripting56.92
2CWE-787Out-of-bounds Write45.20
3CWE-89SQL Injection35.88
4CWE-416Use After Free32.52
5CWE-78OS Command Injection27.42
6CWE-20Improper Input Validation26.06
7CWE-125Out-of-bounds Read25.54
8CWE-22Path Traversal23.66
9CWE-352Cross-Site Request Forgery19.07
10CWE-434Unrestricted Upload of Dangerous File Type14.63

Notable Changes from 2023

CWE-787 (Out-of-bounds Write) rose significantly due to the volume of memory safety CVEs in 2023-2024, driven largely by browser engine and kernel vulnerabilities. For application developers, this is primarily relevant in C/C++ codebases and embedded systems.

CWE-502 (Deserialization of Untrusted Data) dropped from 12 to 15, but the risk has not diminished. It's less frequent in new CVEs because more codebases have migrated away from vulnerable serialization libraries after years of high-profile exploitation.

CWE-918 (SSRF) entered the list at #16, reflecting the massive increase in SSRF-based attacks against cloud metadata APIs (AWS IMDS, GCP metadata server).

Scanner Configuration Implications

For interpreted language stacks (Python, JavaScript, TypeScript, Ruby), the actionable CWEs are:

Tier 1. Configure with high confidence rules:

  • CWE-79, CWE-89, CWE-78, CWE-22, CWE-352, CWE-918, CWE-20

Tier 2. Configure with context-aware rules (higher false positive rate):

  • CWE-601 (Open Redirect), CWE-611 (XXE), CWE-1021 (Improper Restriction of Rendered UI Layers)

Tier 3. Requires manual review:

  • CWE-284, CWE-269 (access control logic is application-specific)

For compiled language stacks (Go, Rust, Java), add:

  • CWE-190 (Integer Overflow), CWE-476 (NULL Pointer Dereference), CWE-125/787 for C/C++

Taint Analysis vs. Regex for Top 25

CWE-89 and CWE-78 require taint analysis for accurate detection. Pure regex rules produce high false-positive rates on parameterized queries that look like string concatenation. AST-based taint tracking (tracing data flow from input source to sink) is the baseline requirement for credible Top 25 coverage.

How Deva Addresses CWE Top 25

Deva's detection engine covers all 25 CWEs with hybrid detection: regex for fast pattern matching, AST parsing for structural analysis, and taint tracking for data flow. The scanner uses the 2024 Top 25 as a priority weighting for findings. Higher-ranked CWEs score higher in the default severity model.

The compliance preset for OWASP (which aligns closely with CWE Top 25) maps findings to both OWASP categories and MITRE CWE identifiers, so remediation can be tracked against both frameworks simultaneously.

FAQ

Frequently asked questions

What is the CWE Top 25?
The CWE Top 25 is MITRE's annual ranking of the most dangerous software weaknesses, based on NVD CVE data over the prior 12-24 months. The methodology weights both frequency and severity, producing a more accurate real-world risk picture than frequency alone.
What's the difference between OWASP Top 10 and CWE Top 25?
OWASP Top 10 is a higher-level category list maintained by the OWASP Foundation, updated every 3-4 years. CWE Top 25 is MITRE's underlying weakness taxonomy, updated annually based on observed CVE data. The two are complementary: OWASP categories aggregate multiple CWEs, and CWE rankings inform OWASP's category reordering.
Why do CWE-89 and CWE-78 need taint tracking?
SQL injection and OS command injection are about data flow from a source (user input) to a sink (query or shell call), not about a single pattern at one line. Regex-only scanners produce high false-positive rates on parameterized queries that look like string concatenation. AST-based taint tracking is the baseline for credible detection.
Does the CWE Top 25 change every year?
Yes, but slowly. The top 5-10 entries are stable across years (XSS, SQL injection, out-of-bounds write, command injection appear consistently). Movement happens in the middle and tail of the ranking as new CVE patterns emerge or older ones decline. The 2024 list saw CWE-918 (SSRF) enter at #16 driven by cloud metadata API attacks.
PostShare

Deva Security Team

Threat research, application security analysis, and defensive engineering insights from the DevSecCode team.

Related Articles

AppSec8 min read

OWASP Top 10:2025 Is Live. SSRF Is Gone, Supply Chain Is #3.

OWASP published the 2025 revision of the Top 10 in May 2026. Three structural changes deserve real attention from anyone writing or auditing application code.

Read more
AppSec8 min read

Shift-Left Pentesting: Why Offensive Security Belongs in Your IDE

Traditional penetration testing happens after deployment. A new generation of tools moves attack-surface analysis into the IDE, where the cost of a fix is measured in developer-minutes rather than incident reports.

Read more
AppSec9 min read

Prompt Injection in Agentic AI: The 2026 Vulnerability Class That Acts Like Remote Code Execution

Agentic AI systems combining LLMs with tool use and persistent memory have created a new vulnerability class. When the agent has shell or API access, prompt injection behaves like RCE.

Read more

Discussion

Loading comments...
Previous

FedRAMP Rev 5: The 80 New Controls Your Code Has to Pass

Next

The Vulnerability Class That Arrived With AI Coding Assistants

Back to all articles