SlideShare una empresa de Scribd logo

The CWE/SANS Top 25 Most Dangerous Software Errors Announced… Along With a New Set of Standards

Redspin, Inc.
Redspin, Inc.

SANS and MITRE releases 2011 Top 25 Most Dangerous Software Errors.

Tecnología
1 de 2
Descargar para leer sin conexión
The CWE/SANS Top 25 Most Dangerous Software Errors Announced… Along With a New Set of Standards In a new and revised format, SANS along with MITRE has published the latest list of the highest risk software security vulnerabilities; the revision to the list is based on the CWE, CWSS and CWRAF security standards. The announcement leverages and highlights these new standards and collaboration efforts among the security community (including corporate, non-profit and government entities). As this announcement publicizes some new standards efforts that many of us will undoubtedly hear a lot about in the coming months, I thought it made sense to leverage the CWE/SANS Top 25 Most Dangerous Software Errors list to put these other standards in context. First, let’s summarize the standards. CVE List Before diving into these other standards, it’s perhaps best to start with the CVE list. The Common Vulnerabilities and Exposures (CVE) List was started by the MITRE Corporation, a non-profit think tank, in 1999. The CVE List is free (http://cve.mitre.org) and publicly available and creates a standardized set of identifiers for common vulnerabilities and exposures. The List provides common identifiers so automated tools, such as vulnerability scanners and patch management systems can exchange vulnerability data using unique identifiers. You can think of the CVE List as the master set of security vulnerabilities. CVE numbers have become the interoperability standard amongst security vendors. CWE List Where the CWE list is a complete list of individual vulnerabilities, the Common Weakness Enumeration (CWE) provides a categorical view describing classifications of risk. The CWE List can be thought of as a taxonomy of vulnerability categories such that unique vulnerabilities in various software systems can be categorized. As such there are many more unique software vulnerabilities than categories that classify them. For example, the CVE List has almost 50,000 entries while the CWE List has only 870. Common Weakness Scoring System (CWSS) The CWSS provides a consistent method by which vulnerabilities can be scored. This would potentially address, for example, (at least in theory) a big problem with automated vulnerability scanners: they tend to create reams of output without any context as to what is important in a given environment. Given that every environment is unique, its difficult for automated software processes to programmatically determine the relevance of a particular instance of a vulnerability. The CWSS would provide a repeatable approach to determine the relevance of risk as well as provide a way to quantifiably measure unaddressed vulnerabilities. Common Weakness Risk Analysis Framework (CWRAF) The CWRAF provides a method for organizations to customize the application of the CWSS to account for their particular business and technology environments. So as the CWSS provides a repeatable process to score vulnerabilities, the CWRAF provides a repeatable way for organizations to apply the CWSS to their own unique business environments So what’s all this got to do with the CWE/SANS Top 25? Well, perhaps nothing. The list itself is a prioritized list of the top 25 security weaknesses in software as a function of prevalence, probability of exploitation, and importance. The list is a great resource for any IT or security professional that wants to focus their efforts on the most important issues. Considering that every organization has security risk (an often
plenty of it) and IT resources are limited, keeping focused on the important issues is incredibly important in a structured risk management program. But what about CVE, CWE, CWSS, CWRAF….? So it’s not the CWE/SANS Top 25 list that has to do with these standards, its more that this alphabet soup of standards is how the Top 25 list was created. SANS worked with MITRE along with security experts worldwide to compile the list. While experts in the field often work with individual CVE identifiers, the TOP 25 list is based on CWE categories. The list is prioritized based on the scores that were calculated based on the CWSS. Specific industries and organizations could customize the scoring using the CWRAF. Below is the current CWE/SANS Top 25 Most Dangerous Software Errors list. Notice how CWE categories are referenced as opposed to CVE numbers or ad hoc categories, and the CWSS score is used for prioritization. 1. 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 2. 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 3. 79.0 CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) 4. 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 5. 76.9 CWE-306 Missing Authentication for Critical Function 6. 76.8 CWE-862 Missing Authorization 7. 75.0 CWE-798 Use of Hard-coded Credentials 8. 75.0 CWE-311 Missing Encryption of Sensitive Data 9. 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type 10. 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision 11. 73.1 CWE-250 Execution with Unnecessary Privileges 12. 70.1 CWE-352 Cross-Site Request Forgery (CSRF) 13. 69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14. 68.5 CWE-494 Download of Code Without Integrity Check 15. 67.8 CWE-863 Incorrect Authorization 16. 66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere 17. 65.5 CWE-732 Incorrect Permission Assignment for Critical Resource 18. 64.6 CWE-676 Use of Potentially Dangerous Function 19. 64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm 20. 62.4 CWE-131 Incorrect Calculation of Buffer Size 21. 61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts 22. 61.1 CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’) 23. 61.0 CWE-134 Uncontrolled Format String 24. 60.3 CWE-190 Integer Overflow or Wraparound 25. 59.9 CWE-759 Use of a One-Way Hash without a Salt Overall, we applaud this effort; both the list and the accompanying standards. Any effort that prioritizes risk and provides a systematic and repeatable process to do so is a big boost for enterprise security. In the short term, the value of these methodologies will surely be a function of the capabilities and dedication of those that use them (the garbage in – garbage out rule will still apply), but any methodology that adds some structure to security risk analysis is a worthy effort. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM

Recomendados

Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)
Aung Thu Rha Hein
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
Ankita Bhalla
 
Localization In Clinical Neurology
Localization In Clinical NeurologyLocalization In Clinical Neurology
Localization In Clinical Neurology
DJ CrissCross
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
Redspin, Inc.
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
Redspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
Redspin, Inc.
 

Recomendados

Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)Introduction to Common Weakness Enumeration (CWE)
Introduction to Common Weakness Enumeration (CWE)
Aung Thu Rha Hein
 
Secure programming language basis
Secure programming language basisSecure programming language basis
Secure programming language basis
Ankita Bhalla
 
Localization In Clinical Neurology
Localization In Clinical NeurologyLocalization In Clinical Neurology
Localization In Clinical Neurology
DJ CrissCross
 
Intrusion detection system
Intrusion detection system Intrusion detection system
Intrusion detection system
gaurav koriya
 
HIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business AssociatesHIPAA Security Risk Analysis for Business Associates
HIPAA Security Risk Analysis for Business Associates
Redspin, Inc.
 
Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012Redspin PHI Breach Report 2012
Redspin PHI Breach Report 2012
Redspin, Inc.
 
HIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest StateHIPAA Enforcement Heats Up in the Coldest State
HIPAA Enforcement Heats Up in the Coldest State
Redspin, Inc.
 
Official HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol PublishedOfficial HIPAA Compliance Audit Protocol Published
Official HIPAA Compliance Audit Protocol Published
Redspin, Inc.
 
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Redspin, Inc.
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
Redspin, Inc.
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
Redspin, Inc.
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
Redspin, Inc.
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin, Inc.
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
Redspin, Inc.
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
Redspin, Inc.
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
Redspin, Inc.
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
Redspin, Inc.
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
Redspin, Inc.
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
Redspin, Inc.
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
Redspin, Inc.
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin, Inc.
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
Redspin, Inc.
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
Redspin, Inc.
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
Redspin, Inc.
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
Redspin, Inc.
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Redspin, Inc.
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Redspin, Inc.
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
Redspin, Inc.
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 

Más contenido relacionado

Más de Redspin, Inc.

Más de Redspin, Inc. (20)

Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
Stage 2 Meaningful Use Debuts in Las Vegas (Finally!)
 
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?HIPAA Security Audits in 2012-What to Expect. Are You Ready?
HIPAA Security Audits in 2012-What to Expect. Are You Ready?
 
Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?Healthcare IT Security Who's Responsible, Really?
Healthcare IT Security Who's Responsible, Really?
 
Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?Healthcare IT Security - Who's responsible, really?
Healthcare IT Security - Who's responsible, really?
 
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk AnalysisRedspin Webinar - Prepare for a HIPAA Security Risk Analysis
Redspin Webinar - Prepare for a HIPAA Security Risk Analysis
 
Redspin Webinar Business Associate Risk
Redspin Webinar Business Associate RiskRedspin Webinar Business Associate Risk
Redspin Webinar Business Associate Risk
 
Redspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP TemplateRedspin HIPAA Security Risk Analysis RFP Template
Redspin HIPAA Security Risk Analysis RFP Template
 
Mobile Device Security Policy
Mobile Device Security PolicyMobile Device Security Policy
Mobile Device Security Policy
 
Financial institution security top it security risk
Financial institution security top it security riskFinancial institution security top it security risk
Financial institution security top it security risk
 
Managing Windows User Accounts via the Commandline
Managing Windows User Accounts via the CommandlineManaging Windows User Accounts via the Commandline
Managing Windows User Accounts via the Commandline
 
Redspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful UseRedspin February 17 2011 Webinar - Meaningful Use
Redspin February 17 2011 Webinar - Meaningful Use
 
Redspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach ReportRedspin Report - Protected Health Information 2010 Breach Report
Redspin Report - Protected Health Information 2010 Breach Report
 
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT SecurityRedspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
Redspin & Phyllis and Associates Webinar- HIPAA,HITECH,Meaninful Use,IT Security
 
Email hacking husband faces felony
Email hacking husband faces felonyEmail hacking husband faces felony
Email hacking husband faces felony
 
Meaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health informationMeaningful use, risk analysis and protecting electronic health information
Meaningful use, risk analysis and protecting electronic health information
 
Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...Understanding the Experian independent third party assessment (EI3PA ) requir...
Understanding the Experian independent third party assessment (EI3PA ) requir...
 
Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011Top 10 IT Security Issues 2011
Top 10 IT Security Issues 2011
 
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David ShawBeginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
Beginner's Guide to the nmap Scripting Engine - Redspin Engineer, David Shaw
 
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information SecurityEnsuring Security and Privacy in the HIE Market - Redspin Information Security
Ensuring Security and Privacy in the HIE Market - Redspin Information Security
 
Mapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information SecurityMapping Application Security to Business Value - Redspin Information Security
Mapping Application Security to Business Value - Redspin Information Security
 

Último

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Roshan Dwivedi
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Último (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 

The CWE/SANS Top 25 Most Dangerous Software Errors Announced… Along With a New Set of Standards

  • 1. The CWE/SANS Top 25 Most Dangerous Software Errors Announced… Along With a New Set of Standards In a new and revised format, SANS along with MITRE has published the latest list of the highest risk software security vulnerabilities; the revision to the list is based on the CWE, CWSS and CWRAF security standards. The announcement leverages and highlights these new standards and collaboration efforts among the security community (including corporate, non-profit and government entities). As this announcement publicizes some new standards efforts that many of us will undoubtedly hear a lot about in the coming months, I thought it made sense to leverage the CWE/SANS Top 25 Most Dangerous Software Errors list to put these other standards in context. First, let’s summarize the standards. CVE List Before diving into these other standards, it’s perhaps best to start with the CVE list. The Common Vulnerabilities and Exposures (CVE) List was started by the MITRE Corporation, a non-profit think tank, in 1999. The CVE List is free (http://cve.mitre.org) and publicly available and creates a standardized set of identifiers for common vulnerabilities and exposures. The List provides common identifiers so automated tools, such as vulnerability scanners and patch management systems can exchange vulnerability data using unique identifiers. You can think of the CVE List as the master set of security vulnerabilities. CVE numbers have become the interoperability standard amongst security vendors. CWE List Where the CWE list is a complete list of individual vulnerabilities, the Common Weakness Enumeration (CWE) provides a categorical view describing classifications of risk. The CWE List can be thought of as a taxonomy of vulnerability categories such that unique vulnerabilities in various software systems can be categorized. As such there are many more unique software vulnerabilities than categories that classify them. For example, the CVE List has almost 50,000 entries while the CWE List has only 870. Common Weakness Scoring System (CWSS) The CWSS provides a consistent method by which vulnerabilities can be scored. This would potentially address, for example, (at least in theory) a big problem with automated vulnerability scanners: they tend to create reams of output without any context as to what is important in a given environment. Given that every environment is unique, its difficult for automated software processes to programmatically determine the relevance of a particular instance of a vulnerability. The CWSS would provide a repeatable approach to determine the relevance of risk as well as provide a way to quantifiably measure unaddressed vulnerabilities. Common Weakness Risk Analysis Framework (CWRAF) The CWRAF provides a method for organizations to customize the application of the CWSS to account for their particular business and technology environments. So as the CWSS provides a repeatable process to score vulnerabilities, the CWRAF provides a repeatable way for organizations to apply the CWSS to their own unique business environments So what’s all this got to do with the CWE/SANS Top 25? Well, perhaps nothing. The list itself is a prioritized list of the top 25 security weaknesses in software as a function of prevalence, probability of exploitation, and importance. The list is a great resource for any IT or security professional that wants to focus their efforts on the most important issues. Considering that every organization has security risk (an often
  • 2. plenty of it) and IT resources are limited, keeping focused on the important issues is incredibly important in a structured risk management program. But what about CVE, CWE, CWSS, CWRAF….? So it’s not the CWE/SANS Top 25 list that has to do with these standards, its more that this alphabet soup of standards is how the Top 25 list was created. SANS worked with MITRE along with security experts worldwide to compile the list. While experts in the field often work with individual CVE identifiers, the TOP 25 list is based on CWE categories. The list is prioritized based on the scores that were calculated based on the CWSS. Specific industries and organizations could customize the scoring using the CWRAF. Below is the current CWE/SANS Top 25 Most Dangerous Software Errors list. Notice how CWE categories are referenced as opposed to CVE numbers or ad hoc categories, and the CWSS score is used for prioritization. 1. 93.8 CWE-89 Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 2. 83.3 CWE-78 Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) 3. 79.0 CWE-120 Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) 4. 77.7 CWE-79 Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 5. 76.9 CWE-306 Missing Authentication for Critical Function 6. 76.8 CWE-862 Missing Authorization 7. 75.0 CWE-798 Use of Hard-coded Credentials 8. 75.0 CWE-311 Missing Encryption of Sensitive Data 9. 74.0 CWE-434 Unrestricted Upload of File with Dangerous Type 10. 73.8 CWE-807 Reliance on Untrusted Inputs in a Security Decision 11. 73.1 CWE-250 Execution with Unnecessary Privileges 12. 70.1 CWE-352 Cross-Site Request Forgery (CSRF) 13. 69.3 CWE-22 Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 14. 68.5 CWE-494 Download of Code Without Integrity Check 15. 67.8 CWE-863 Incorrect Authorization 16. 66.0 CWE-829 Inclusion of Functionality from Untrusted Control Sphere 17. 65.5 CWE-732 Incorrect Permission Assignment for Critical Resource 18. 64.6 CWE-676 Use of Potentially Dangerous Function 19. 64.1 CWE-327 Use of a Broken or Risky Cryptographic Algorithm 20. 62.4 CWE-131 Incorrect Calculation of Buffer Size 21. 61.5 CWE-307 Improper Restriction of Excessive Authentication Attempts 22. 61.1 CWE-601 URL Redirection to Untrusted Site (‘Open Redirect’) 23. 61.0 CWE-134 Uncontrolled Format String 24. 60.3 CWE-190 Integer Overflow or Wraparound 25. 59.9 CWE-759 Use of a One-Way Hash without a Salt Overall, we applaud this effort; both the list and the accompanying standards. Any effort that prioritizes risk and provides a systematic and repeatable process to do so is a big boost for enterprise security. In the short term, the value of these methodologies will surely be a function of the capabilities and dedication of those that use them (the garbage in – garbage out rule will still apply), but any methodology that adds some structure to security risk analysis is a worthy effort. WEB PHONE EMAIL WWW.REDSPIN.COM 800-721-9177 INFO@REDSPIN.COM