The SANS Institute and MITRE (who produce theCWE notifications) have released the 2011 list of the most dangerous software problem areas  (see http://cwe.mitre.org/top25/index.html#Listing). Top of the list is SQL Injections, closely follwed by OS Command Injections, Buffer Overflows and Cross-Site Scripting. The list is intended for managers, software developers, software testers, educators and - not least - computer users. Too few users fully realise just how vulnerable to hacking their computer applications are, and too many can't be bothered to apply the program updates that software vendors release from time to time (some much more often than others). This list is intended for them too, and should open their eyes to the failings inherent in even the most impressively-performing software package.

 

As well as the critical errors in the Top 25 list, there are 16 additional problem areas which almost but not quite made it into the list. These are in "On The Cusp", at http://cwe.mitre.org/top25/cusp.html

 

(If you haven't already got the SANS Internet Storm Center page bookmarked in your browser, this is a must-have site for anyone who takes an interest in Information Security. Go and take a look at http://isc.sans.edu/.)

CWE-SANS Top 25 Most Dangerous Software Errors (1).png

 

CWE-SANS Top 25 Most Dangerous Software Errors (2).png

 

CWE-SANS Top 25 Most Dangerous Software Errors (3).png