CWE-SANS-Top-25

From aldeid
Jump to navigation Jump to search

Description

What is CWE/SANS Top 25?

CWE/SANS Top 25 is a set of 25 rules classified in 3 categories, relative to most dangerous programming errors.

  • Insecure Interaction Between Components (8 errors)
  • Risky Resource Management (10 errors)
  • Porous Defenses (7 errors)

Classification

Global risk of each vulnerability is based on qualitative indicators:

  • Weakness Prevalence: the term prevalence has been borrowed from the epidemiological field. In a nutshell, it represents the total number of cases in the total number of attacks at a given time.
  • Remediation Cost: the amount of effort required to fix the weakness.
  • Attack Frequency: how often the weakness occurs in vulnerabilities that are exploited by an attacker.
  • Consequences: potential impacts of the attack (e.g. data loss, session theft, denial of access, ...)
  • Ease of Detection: how easy it is for an attacker to find this weakness.
  • Attacker Awareness: the likelihood that an attacker is going to be aware of this particular weakness, methods for detection, and methods for exploitation.

Classification

Insecure Interaction Between Components

Risky Resource Management

Porous Defenses

Comments

Talk:CWE-SANS-Top-25