US experts publish top 25 computer security vulnerabilities

The Department of Homeland Security, in conjunction with the SANS Institute and Mitre, has published a list of this year's top 25 security vulnerabilities, and released new tools for measuring software security risks.

The 2011 CWE/SANS Top 25 Most Dangerous Software Errors covers the most prevalent and easily exploitable vulnerabilities, and was complied by security professionals in industry, academia and government.

The list includes advice for spotting and working around the vulnerabilities for specific sectors, such as e-commerce and industry, and provides pointers for developers on the mistakes to avoid.

"SQL injection delivers the knockout punch of security weaknesses in 2011. For data-rich software applications, SQL injection is the means to steal the keys to the kingdom," said the SANS Institute.

"OS command injection is where the application interacts with the operating system. The classic buffer overflow comes in third, still pernicious after all these decades."

"Cross-site scripting is the bane of web applications everywhere. Rounding out the top five is missing authentication for critical functionality."

The organisations also released two new tools designed to simplify the spotting and fixing of vulnerabilities.

The Common Weakness Risk Analysis Framework provides a system for companies in different sectors to test their applications to find the most dangerous vulnerabilities likely to occur.

The Common Weakness Scoring System, meanwhile, allows developers and IT managers to prioritise the most important vulnerabilities within their operating system, applications and third-party code, and adjust patching and workflow schedules accordingly.

The Department of Homeland Security is taking a renewed interest in online security in the wake of recent high-profile hacking attacks from LulzSec and Stuxnet.