Ddating advice 116 txt 116
Consider using the Top 25 as part of contract language during the software acquisition process.The SANS Application Security Procurement Language site offers customer-centric language that is derived from the OWASP Secure Software Contract Annex, which offers a "framework for discussing expectations and negotiating responsibilities" between the customer and the vendor.CWE-78, OS command injection, is where the application interacts with the operating system.The classic buffer overflow (CWE-120) comes in third, still pernicious after all these decades.As a customer, you have the power to influence vendors to provide more secure products by letting them know that security is important to you.Use the Top 25 to help set minimum expectations for due care by software vendors.NOTE: 16 other weaknesses were considered for inclusion in the Top 25, but their general scores were not high enough. CWE-89 - SQL injection - delivers the knockout punch of security weaknesses in 2011.
Read the brief listing and consider how you would integrate knowledge of these weaknesses into your tests.
Software customers can use the same list to help them to ask for more secure software.
Researchers in software security can use the Top 25 to focus on a narrow but important subset of all known security weaknesses.
Review the CAPEC IDs for ideas on the types of attacks that can be launched against the weakness.
Recognize that market pressures often drive vendors to provide software that is rich in features, and security may not be a serious consideration.