From aldeid
Jump to navigation Jump to search


What is CWE/SANS Top 25?

CWE/SANS Top 25 is a set of 25 rules classified in 3 categories, relative to most dangerous programming errors.

  • Insecure Interaction Between Components (8 errors)
  • Risky Resource Management (10 errors)
  • Porous Defenses (7 errors)


Global risk of each vulnerability is based on qualitative indicators:

  • Weakness Prevalence: the term prevalence has been borrowed from the epidemiological field. In a nutshell, it represents the total number of cases in the total number of attacks at a given time.
  • Remediation Cost: the amount of effort required to fix the weakness.
  • Attack Frequency: how often the weakness occurs in vulnerabilities that are exploited by an attacker.
  • Consequences: potential impacts of the attack (e.g. data loss, session theft, denial of access, ...)
  • Ease of Detection: how easy it is for an attacker to find this weakness.
  • Attacker Awareness: the likelihood that an attacker is going to be aware of this particular weakness, methods for detection, and methods for exploitation.


Insecure Interaction Between Components

Risky Resource Management

Porous Defenses