CWE/SANS Top 25 List - new for 2010

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

CWE/SANS Top 25 List - new for 2010

Steven M. Christey-2
All,

MITRE and SANS are going to release a new version of the Top 25 Most
Dangerous Programming Errors (http://cwe.mitre.org/top25/).  The 2010
version will be released in about a month, but we are still welcoming any
inputs.  I would be especially grateful for anyone who has quantitative
data with respect to weaknesses or attacks, but that is not required.

If you are interested in contributing to this effort, please email me and
Bob Martin ([hidden email]), and we will send you more information.

Thank you,
Steve Christey
CWE Technical Lead
Reply | Threaded
Open this post in threaded view
|

Re: CWE/SANS Top 25 List - new for 2010

Tadashi Yamagishi
Dear Steve,

FYI,

Our Vulnerability Countermeasure Information Database JVN iPedia
 uses CWE to identify the types of vulnerability.

The year 2009, 5 types of vulnerabilities, CWE-119(Buffer Errors),
 CWE-399(Resource Management Errors), CWE-264(Permissions, Privileges
 and Access Controls), CWE-79(Cross-Site Scripting), CWE-20(Improper
 Input Validation), accounted for 60 percent of the total reported cases.

For more information, refer to the following URL Section (5)
http://www.ipa.go.jp/security/english/vuln/JVNiPedia2009q4_en.html

Regards,

Tadashi Yamagishi
IT Security Center (ISEC)
Information-technology Promotion Agency, Japan (IPA)
E-mail: [hidden email]


Steven M. Christey wrote:

> All,
>
> MITRE and SANS are going to release a new version of the Top 25 Most
> Dangerous Programming Errors (http://cwe.mitre.org/top25/).  The 2010
> version will be released in about a month, but we are still welcoming
> any inputs.  I would be especially grateful for anyone who has
> quantitative data with respect to weaknesses or attacks, but that is not
> required.
>
> If you are interested in contributing to this effort, please email me
> and Bob Martin ([hidden email]), and we will send you more information.
>
> Thank you,
> Steve Christey
> CWE Technical Lead
>
Reply | Threaded
Open this post in threaded view
|

RE: CWE/SANS Top 25 List - new for 2010

Bufford, Jill
RE: CWE/SANS Top 25 List - new for 2010

Yes, this CWE list is a very good resource! I've used it often.
-Jill


-----Original Message-----
From: [hidden email] on behalf of Tadashi Yamagishi
Sent: Tue 2/2/2010 10:23 PM
To: [hidden email]
Subject: Re: CWE/SANS Top 25 List - new for 2010

Dear Steve,

FYI,

Our Vulnerability Countermeasure Information Database JVN iPedia
 uses CWE to identify the types of vulnerability.

The year 2009, 5 types of vulnerabilities, CWE-119(Buffer Errors),
 CWE-399(Resource Management Errors), CWE-264(Permissions, Privileges
 and Access Controls), CWE-79(Cross-Site Scripting), CWE-20(Improper
 Input Validation), accounted for 60 percent of the total reported cases.

For more information, refer to the following URL Section (5)
http://www.ipa.go.jp/security/english/vuln/JVNiPedia2009q4_en.html

Regards,

Tadashi Yamagishi
IT Security Center (ISEC)
Information-technology Promotion Agency, Japan (IPA)
E-mail: [hidden email]


Steven M. Christey wrote:
> All,
>
> MITRE and SANS are going to release a new version of the Top 25 Most
> Dangerous Programming Errors (http://cwe.mitre.org/top25/).  The 2010
> version will be released in about a month, but we are still welcoming
> any inputs.  I would be especially grateful for anyone who has
> quantitative data with respect to weaknesses or attacks, but that is not
> required.
>
> If you are interested in contributing to this effort, please email me
> and Bob Martin ([hidden email]), and we will send you more information.
>
> Thank you,
> Steve Christey
> CWE Technical Lead
>