29 Jun 2011

Top 25 software weaknesses identified

On June 27, nonprofit group Mitre and the SANS Institute, in conjunction with the Department of Homeland Security, released the 2011 Top 25 Most Dangerous Software Errors list.

The list is based on information provided by 20 organizations, determining which software errors in the last year were most common and likely to be exploited. These vulnerabilities are often easily found and taken advantage of by criminals eager to breach an organization's computer security.

Up from number four last year, the number one weakness on the list is Improper Neutralization of Special Elements Used in an SQL Command ("SQL Injection"). Also in the top ten: Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") (No. 4), Missing Authorization (No. 6) and Missing Encryption of Sensitive Data (No. 8).

CWE says consumers can use this list to shop for safer software, and software managers and chief information officers can use it to evaluate system security. The report accompanying the Top 25 list includes a Mitigation Matrix, showing steps computer security professionals can take to defend against these common problems.

In April 2011, computer security firm Barracuda Networks was compromised via an SQL injection that exposed confidential information such as employee login credentials.