Based primarily on the CWE List and leveraging the SANS Top 20 attack vectors, the main goal of the Top 25 list is to stop vulnerabilities at the source by educating programmers on how to eliminate all-too-common mistakes before software is even shipped.
The list is a tool for education and awareness that will help programmers to prevent the kinds of vulnerabilities that plague the software industry. Software consumers may also use the list to help them to ask for more secure software, and software managers and CIOs can use the Top 25 as a measuring stick of progress in their efforts to secure their software.
Updates for the 2010 version include substantial improvements to the 2009 list. The structure of the list has been modified to distinguish mitigations and general secure programming principles from more concrete weaknesses.
This year’s Top 25 entries are prioritized using inputs from over 20 different organizations, who evaluated each weakness based on prevalence and importance. The 2010 version introduces focus profiles that allow developers and other users to select the parts of the Top 25 that are most relevant to their concerns.
The 2010 version also adds a small set of the most effective “Monster Mitigations,” which help developers to reduce or eliminate entire groups of the Top 25 weaknesses, as well as many of the other 800 weaknesses that are documented in the Common Weakness Enumeration (CWE). Finally, many high-level weaknesses from the 2009 version have been replaced with lower-level variants that are more actionable.
“The biggest help this list provides is actually putting visibility on the issues and pushing organizations to act on them which might otherwise dismiss them as trivial. Putting them out in a list will actually make them more dangerous and thus more important to be addressed.” said Emmanuel Carabott, Security Research Leader at GFI Software.
The entire list is available here.