The U.S. Department of Homeland Security, in conjunction with the SANS Institute and Mitre have been hard at work again. See the article. There are two new programs called the Common Weakness Risk Analysis Framework (CWRAF) and the Common Weakness Scoring System (CWSS). Using these two in conjunction will help users identify the most important weaknesses for their business. It will be interesting to see adoption in the upcoming weeks.
In addition to CWRAF and CWSS the 2011 CWE/SANS Top 25 list has been updated. There has been a number of position changes and a few that have been knocked out and replaced by CWE-250, CWE-676, CWE-134, and CWE-759. Not too many surprises but I never really noticed CWE-134 not in the list before. That certainly makes sense. However it does shock me that CWE-129 (Improper Validation of Array Index) didn’t make the list this year. Certainly a problem that I’ve seen a ton, although it was close (#27). To see Klocwork’s coverage of 2011 CWE/SANS Top 25 go here.