CWE/SANS Top 25 Supporting QuotesThe CWE/SANS Top 25 list provides critical inputs every software organization needs to incorporate into their quality and security processes. CISQ will be working to incorporate defined patterns for recognizing these weaknesses into its standardization for security measurement. — Dr. Bill Curtis - Director of Consortium for IT Software Quality (CISQ) Just wanted to commend the depth of the CWE/SANS Top 25. The code examples are particularly excellent. I have asked all my developers to read one of these each day for the next 25 days. I'm taking my own advice as well, and even though I'm still reading some of the "easy" ones (like SQL injection), I still find that I am learning new things about old topics. — Mark E. Haase, OpenFISMA Project Manager, Endeavor Systems, Inc. The CWE/SANS Top 25 is an effective tool to help organizations manage risks from today's most critical vulnerabilities. The Microsoft Security Development Lifecycle (SDL) improves security discipline and introduces processes that help prevent most of the CWE/SANS Top 25, and is an important tool to any organization looking to minimize risk of vulnerabilities. — Michael Howard, Principal Security Program Manager, Security Development Lifecycle Team, Microsoft Corporation The 2010 CWE Top 25 has become practically a crash course or "crash resource" in secure programming. — Pascal Meunier, CERIAS, Purdue University In the collaborated environment and ever increasing business requirements to integrate solutions, insecure applications are an easy target. The business today understands how much damage can be cause to business, revenue and customer confidence due to these issues. To ensure that our deliveries meet / surpass customer expectations on security, the CWE/SANS Top 25 Most Dangerous Programming Errors is extensively leveraged in our software security assurance process. — Ketan Vyas, Head - Application Security Initiative, Tata Consultancy Services Once again the Top 25 has turned out to be one of the most useful compilations of common coding mistakes leading to vulnerabilities in software. The updated list, which has been created based on feedback from many experts in the software security industry, focuses on selection criteria like importance and prevalence, thus covering a broad range of the most critical errors commonly introduced in applications today. The Top 25 is compiled in an easy-to-read and entertaining language and does not only provide a good understanding of common coding mistakes, but also how to avoid them. I can therefore highly recommend this read to anyone involved in software design to ensure that they won't make the same mistakes in 2010 as they've made previously. — Carsten Eiram, Chief Security Specialist, Secunia It's great to see the CWE/SANS Top 25 list continue to be maintained and mature. Relentlessly spreading the word about the most common security defects in programming is a vital need. The state of security in our software would without a doubt be much improved if everyone who touches software development reads and thoroughly understands this. Kudos. — Kenneth R. van Wyk, KRvW Associates, LLC The CWE/SANS Top 25 helps both users and vendors focus security resources where it counts. By building security in, we can change the game of cyber attacks rather than just raise the bar. — Benson Wu, Product Line Director, Armorize Technologies Every organization must start somewhere to address the security of their software and the CWE/SANS Top 25 is a great place to do exactly that. CWE/SANS Top 25 provides exceptional technical insights into exactly what that the most important issues that must be understood, prevented, and remediated. — Jeremiah Grossman, Chief Technology Officer, WhiteHat Security, Inc. We included the top25 reference in a request for bid last year. Project began in December and expect the project to be complete in October 2010. We are hopeful to have a much more secure and better application due to the reference and utilization of the SANS/MITRE Top 25. — Richard Lemons, WV Department of Health and Human Resources The MITRE Top 25 Coding Errors List is a very helpful tool as it helps point to critical development issues within the context of a broad software assurance program. In particular, the focused profiles of each item within the 2010 list make it easier to reference what coding errors are the most relevant for those who will use this valuable resource, including developers and others here at EMC. — Reeny Sondhi, Senior Manager, EMC Product Security Office, RSA, the Security Division of EMC The 2010 CWE/SANS Top 25 effort showcases the most common weaknesses that developers, educators and students should be aware of, as well as 16 weaknesses "On the Cusp" of the Top 25, highlighting new weaknesses that are becoming popular and old ones that are on the decline. The Top 25 serves as a starting point to determine which weaknesses to focus on immediately, based on information collected from various organizations. An improvement from last year includes the introduction of Profiles to help people in different domains focus their attention to those weaknesses that are most relevant to them. The concept for Profiles also helps organize the weaknesses that may be detected via automated tools or manual processes, as well as helping people learn how to avoid them in future software development. The new Monster Mitigation Matrix brings awareness into what organizations can do to more effectively deal with mapping specific weaknesses to mitigation categories. — Cristina Cifuentes, Principal Investigator of the Parfait Project, Sun Microsystems Laboratories The CWE/SANS Top 25 is a highly valuable educational resource for those wishing to produce high-quality secure applications. Every developer who is serious about software security should understand these weaknesses. This update improves on the original by providing additional information that helps developers focus on the weaknesses most relevant to their domain, and by giving advice on how to begin correcting them. — Paul Anderson, Vice President of Engineering, Grammatech Inc. The first step to building rugged software is understanding weakness. The fundamental research MITRE has spearheaded in the CWE and publicized with the Top 25 will help developers understand the kinds of programming practices that make software weak. Only then will they stop writing innocent code and seek out better patterns and strong security controls. — Jeff Williams, CEO of Aspect Security and Chairman of the Open Web Application Security Project (OWASP) The updated version of the CWE/SANS Top 25 continues to be a useful source of information for code developers and consumers. Its ranking of code weaknesses by severity and importance helps focus the discussion between developers and their customers on those issues that matter the most. Reducing the most common software problems is of interest to both the purchaser and the producer and the new mitigation strategies are a great tool to guide expectations and foster the best techniques to reduce code weaknesses and to produce more robust software. Putting this document into everyday practice will improve the overall security of the software we all utilize in our day-to-day efforts. — Dan Wolf, Director, Software Assurance Consortium The CWE/SANS Top 25 list provides a great starting point for developers who want to write more secure code. The majority of the flaw types of the most severe vulnerabilities that Red Hat fixed in 2009 are discussed in this document. — Mark J. Cox, Director, Security Response, Red Hat The 2010 CWE/SANS Top 25 Programming Errors provides valuable guidance to organizations engaged in the development or deployment of software. This list helps organizations focus on the most dangerous threats so that they can get the most out of their vulnerability reduction effort. The list can also be used as a framework to define short term and longer term programs for the elimination or mitigation of security vulnerabilities. Furthermore, it provides easy to comprehend description of the classes of vulnerabilities and high-level recommendations for mitigating or avoiding them altogether. This list is definitely a must-read for anyone who wishes to develop reasonably secure code. — Bruce Lowenthal, Director Security Alert, Oracle Corp. Your document (2009 CWE/SANS Top 25 Most Dangerous Programming Errors) is very useful. I would like to publish it on our intranet, for illustrating threats and vulnerabilities about coding. — colonel Jean-Michel HOUBRE, from the french MOD. I've read "2009 CWE/SANS Top 25 Most Dangerous Programming Errors" article and found it very useful. I would like to translate it into Russian for our software testing community. Of course, link to original article will be stored. — Alexander Kozyrev The Top 25 provides much needed guidance for software developers focusing on eliminating software security defects in their products. If you're involved with software development at your organization and are looking to improve your product security posture, you need to read this. — Robert Auger, Co Founder of The Web Application Security Consortium As the threat in cyberspace continues to grow at an alarming rate, ensuring that security is baked in to software is more important than ever. By identifying, prioritizing and continually refining the 25 most dangerous programming errors, this list serves as an important resource for training students to write more secure software, for hiring programmers who can write more secure code, and for procuring software that is free of programming errors that underlie security vulnerabilities. — Dr. Frederick R. Chang, Associate Dean for Information Technology, College of Natural Sciences, Director, Center for Information Assurance and Security, The University of Texas at Austin The 2010 CWE/SANS Top 25 list provides a highly valuable and useful reference that can be used to prioritize items during the Common Criteria evaluation process. For relevant products each element can be reviewed when assessing the mitigations that vendors have incorporated into their designs/development process. The Common Criteria Development Board is examining, through the working groups developing the next version of the Common Criteria, the practical steps involved in such use and appreciates the work that has been performed in producing the overall CWE list, the underlying taxonomies, and related efforts. — David Martin, Chair Common Criteria Development Board The top 25 list has become an essential benchmark for IT security. It not only drives awareness of the risk that security-deficient software can pose to organizations, but offers developers guidance for remediating critical vulnerabilities in code. Some of the biggest breaches we've seen in the last year are a result of vulnerabilities on this list. That is why it is imperative that development and security teams work together to implement an effective Software Security Assurance program that can address these risks. — Brian Chess, Founder & Chief Scientist, Fortify Software The 2010 Top 25 is a significant improvement from last year, which parallels the maturation of the software security discipline as a whole. The focus profiles allow the list to be more useful from different perspectives and the "monster mitigations" give great prescriptive advice for eliminating many of the Top 25 from software. Veracode will be incorporating the 2010 Top 25 into our reporting so our customers can measure their progress in eliminating these programming errors from their software inventory. — Chris Wysopal, Co-Founder and CTO of Veracode, Inc. |