The Top 25 Vulnerabilities

David Letterman has his nightly top 10 list, and it seems that MITRE now has their top 25 list. I am still digesting the ton of content that came out yesterday from their partnership with Homeland Security, but the Top 25 List of Dangerous Software Errors is pretty good. A lot of our old favorites are there, like SQL Injection and Cross-Site Scripting. But I read about a new one; the use of One Way Hash without Salt.

This list is very approachable, to the super-geek and geek alike. It isn't intended for the non-programmer. You will notice that each of these weaknesses has been assigned an objective score between 0 and 100. They derived those numbers using their new Common Weakness Scoring System. Yes, now there are objective (or nearly so) measures to run your weaknesses through to identify the relative significance from Technical Impact to Access Vector.

Finally there is the Common Weakness Risk Analysis Framework. This framework describes a process by which you run your application code through an analysis tool, I'm assuming like IBM's Ap Scan, and it will regurgitate a bunch of weaknesses. You then take those weaknesses and push them through this risk analysis framework to help you identify which of those weaknesses are the most important to your organization. That helps you to prioritize what you are working on and to address the highest value weaknesses first.

My hat is off to the MITRE team for putting this together. My head is still spinning because it is so much.