On the Cusp: Other Weaknesses to ConsiderThe 2011 CWE/SANS Top 25 is really just a starting point for developers. Many weaknesses were considered for inclusion on the Top 25, but some did not make it to the final list. Some were not considered to be severe enough; others were not considered to be prevalent enough; others were not exploited often. Sometimes, the Top 25 reviewers themselves had mixed opinions on whether a weakness should be added to the list or not. With respect to severity, some Top 25 users may have a significantly different threat model. For example, software uptime may be critical to consumers who operate in critical infrastructure or e-commerce environments. However, in the threat model being used by the Top 25, availability is regarded as slightly less important than integrity and confidentiality. With respect to prevalence, some Top 25 items may not be applicable to the class of software being developed. For example, cross-site scripting is specific to the Web, although analogs exist in other technologies. In other cases, developers may have already eliminated much of the Top 25 in past efforts, so they want to look for other weaknesses that may still be present in their software. Some on-the-cusp items were omitted because they are already indirectly covered on the Top 25, usually by a more general entry. However, these would be important to consider as individual items. For these reasons, users of the Top 25 should seriously consider including these weaknesses in their analyses.
|