If you cannot measure it, you cannot manage it- Peter Drucker
Here is a RSS feed/website for all security incidents
http://www.us-cert.gov/current/ and http://www.us-cert.gov/cas/techalerts/
You can also see http://www.onguardonline.gov/tools/overview.aspx for tools to be secure online.
But the new measuring system is http://cwe.mitre.org/cwss/ to help being secure. It basically creates a score or an anlytical approach for measuring vulnerabilities.
Common Weakness Scoring System (CWSS)
The Common Weakness Scoring System (CWSS) provides a mechanism for scoring weaknesses in a consistent, flexible, open manner while accommodating context for the various business domains. It is a collaborative, community-based effort that is addressing the needs of itsstakeholders across government, academia, and industry. CWSS is a part of the Common Weakness Enumeration (CWE) project, co-sponsored by the Software Assurance program in the National Cyber Security Division (NCSD) of the US Department of Homeland Security (DHS).
CWSS:
- provides a common framework for prioritizing security errors (“weaknesses”) that are discovered in software applications
- provides a quantitative measurement of the unfixed weaknesses that are present within a software application
- can be used by developers to prioritize unfixed weaknesses within their own software
- in conjunction with the Common Weakness Risk Analysis Framework (CWRAF), can be used by consumers to identify the most important weaknesses for their business domains, in order to inform their acquisition and protection activities as one part of the larger process of achieving software assurance.
and the top 25 errors in software are
http://cwe.mitre.org/top25/index.html
| Rank |
Score |
ID |
Name |
| [1] |
93.8 |
CWE-89 |
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) |
| [2] |
83.3 |
CWE-78 |
Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) |
| [3] |
79.0 |
CWE-120 |
Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) |
| [4] |
77.7 |
CWE-79 |
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) |
| [5] |
76.9 |
CWE-306 |
Missing Authentication for Critical Function |
| [6] |
76.8 |
CWE-862 |
Missing Authorization |
| [7] |
75.0 |
CWE-798 |
Use of Hard-coded Credentials |
| [8] |
75.0 |
CWE-311 |
Missing Encryption of Sensitive Data |
| [9] |
74.0 |
CWE-434 |
Unrestricted Upload of File with Dangerous Type |
| [10] |
73.8 |
CWE-807 |
Reliance on Untrusted Inputs in a Security Decision |
| [11] |
73.1 |
CWE-250 |
Execution with Unnecessary Privileges |
| [12] |
70.1 |
CWE-352 |
Cross-Site Request Forgery (CSRF) |
| [13] |
69.3 |
CWE-22 |
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) |
| [14] |
68.5 |
CWE-494 |
Download of Code Without Integrity Check |
| [15] |
67.8 |
CWE-863 |
Incorrect Authorization |
| [16] |
66.0 |
CWE-829 |
Inclusion of Functionality from Untrusted Control Sphere |
| [17] |
65.5 |
CWE-732 |
Incorrect Permission Assignment for Critical Resource |
| [18] |
64.6 |
CWE-676 |
Use of Potentially Dangerous Function |
| [19] |
64.1 |
CWE-327 |
Use of a Broken or Risky Cryptographic Algorithm |
| [20] |
62.4 |
CWE-131 |
Incorrect Calculation of Buffer Size |
| [21] |
61.5 |
CWE-307 |
Improper Restriction of Excessive Authentication Attempts |
| [22] |
61.1 |
CWE-601 |
URL Redirection to Untrusted Site (‘Open Redirect’) |
| [23] |
61.0 |
CWE-134 |
Uncontrolled Format String |
| [24] |
60.3 |
CWE-190 |
Integer Overflow or Wraparound |
| [25] |
59.9 |
CWE-759 |
Use of a One-Way Hash without a Salt |
You can use the list at http://cwe.mitre.org/top25/index.html and check your own corporate vulnerabilities. It is better to sweat in cyber peace than bleed in cyber war, huh. |
Like this:
Like Loading...
Related
DECISION STATS 