SANS and Mitre have made several improvements over the 2009 programming errors list. Focus profiles have been created to explain how software weaknesses relate to real-world scenarios. The new list also ranks items using a survey of 28 organizations who prioritized bugs based on their prevalence and importance.
After SQL injection, classic buffer overflow was public enemy number two in terms of application security. Cross-site scripting came a close third, followed by operating system command injection. The fifth-ranked programming security error was the unrestricted upload of a file with a dangerous type. Cross-site request forgery, while increasingly common in web application attacks, failed to make the top five, resting instead in sixth place.
The bugs were ranked according to importance and prevalence. Each of these parameters were used to assign a sub-score to a bug. The importance sub-score was squared, and then added to the prevalence sub-score to achieve the final result, thus giving importance much more weight.
The study also produced a separate ranking focusing purely on the technical impact of each weakness. "Note that skilled attackers can combine multiple weaknesses into a single, larger attack that is more severe than any of its parts," the report said.
Several weaknesses that were identified last year, including input validation, have been moved to a separate section called Monster Mitigations. "A number of general purpose CWE entries were removed from the top 25 because they overlap other items," said Mitre. "This also made room for other, more specific weaknesses to be listed."