The Common Weakness Enumeration, which published its first official
version in September 2008
moving through 9 drafts over a couple years, covers over 700 weakness
and categories of things that can lead to software that is susceptible
to an attack and exploit. This collection can pose a daunting
collection of the problems to be addressed to gain assurance in the
secureness of your software.
In early October the SANS Institute, an active
member of the CWE Community
and the joint DHS, DoD, and NIST Software Assurance Forums and Working
Groups, proposed the idea of
creating a focused list of the Top 25 CWEs, which would be a community
effort to develop a prioritize list of the most exploitable constructs
that make software vulnerable to attack or failure. This plays off the
"Top XXX" brand that SANS has built since
2001 starting with their Top 10 – the first prioritized list of security
problems that organizations should address.
Subsequently the creation of the list was announced on October 14th at
the Sofware Assurance Forum being held at NIST's Headquarters in
Gaithersberg Maryland and a week later MITRE's CWE team contacted 29
individuals from 24 organizations about participating in the creation
and vetting of the list of the most dangerous CWEs. The 20 November
invitation included a short write-up of four potential candidates for
the list and stated the goal of the effort to conclude in time for a
January 2009 release of the list. During this time-frame MITRE worked to
develop a list of candidate CWEs to jump-start the discussions.
On November 25th, this first draft of the list, with 25 proposed items
and 17 others that should be discussed was sent to the initial group for
discussion and vetting. A dead-line of December 1st was given for
sending in comments and suggestions with the idea that we would be
circulating multiple drafts and each round of comments needed to be
cleanly concluded so we, as a group, could move on to the next round of
On this same day, SANS and the MITRE CWE Team announced the "2009
CWE/SANS Top 25 Programming Errors" effort with appropriate web pages
and e-mail distributions to their respective communities of e-mail
On December 8th the second draft of the list was sent to the group,
which had grown to 33 individuals from 27 organizations from people
volunteering to contribute based on the SANS and CWE announcements. The
2nd draft was accompanied by a change log
that reflected a
summarized discussion of the comments and suggestions we received on the
1st draft from about half of the group and what we did with those
suggestions. A dead-line of December 17th was given for the 2nd draft.
On December 23rd the third draft was sent to the group, now standing at
41 individuals from 35 organizations. Once again we included a change
log of the received
input and comments, which again came from over half of the members of
the group, but, interestingly mostly from members who hadn't commented
on the 1st draft. We emphasized the importance of reviewing this draft
of the Top 25 Errors list since it was basically the candidate final
list given the time remaining before the list was schedule for release.
A dead-line of December 30th was given for this round of commenting but
we encouraged people to send in their inputs as soon as they could so we
could improve our chances of making the roll-out schedule. We
established January 5th as the absolute last day for comments in order
to allow sufficient time to work through all of the comments and get the
list ready for publication on the 12th of January as the "2009 CWE/SANS
Top 25 Most Dangerous Programming Errors".
A "pre-view" of the final CWE/SANS Top 25 document, with the change log
of what comments were
received on the 3rd draft and how the suggestions and comments were
handled was sent to the group on the 8th of January.
More information is available — Please select a different filter.