The US Department of Homeland Security (DHS) on Monday announced detailed guidance for software companies and others writing code to avoid the most widespread and serious vulnerabilities in software. Working with non-profits and the private sector the Department has come up with a list of the most troublesome threats and procedures for organizations to lessen these.
The DHS' National Cyber Security Division has issued a list of software vulnerabilities called the Common Weakness Enumeration, developed a scoring system and risk analysis framework for evaluating the seriousness of the flaws and prioritizing the weaknesses, and released a top-25 list of the most dangerous software errors.
The list includes high-level overviews and examples of each of the vulnerabilities, common consequences of the problem, likely modes of detection and attack and potential alleviation for each type of attack at various steps in the software development process.
For this path-breaking work the DHS teamed up with technology research non-profits as well as a number of private sector organizations.
It is expected that the Common Weakness Enumeration, top-25 list, and the scoring system will now allow users to compare weaknesses, educate themselves and help prioritize security-related work.
Analysts point out that this is not the first release of the top-25 list or of the Common Weakness Enumeration, but certainly is the first one that provides a detailed and data-intensive look at vulnerabilities making it significantly more useful than previous versions.