I was luck enough to assist in this project and I must say that a lot of great discussions took place. Unlike many other top x security lists, SANS/MITRE's methodology is fairly extensive and well documented giving you insight into how decisions were made. I do want to point out that top x lists in general are alone not sufficient enough for creating extensive application security programs. If you're looking at developing an extensive application security program at your company I would suggest reviewing mitre's extensive CWE and CAPEC projects, as well as the WASC Threat Classification. On the other hand lists such as these are powerful tools for getting the word out to the masses, and the top 25 is a superb starting place for those unfamiliar with application security.
From the announcement
"The 2010 CWE/SANS Top 25 Most Dangerous Programming Errors is a list
of the most widespread and critical programming errors that can lead
to serious software vulnerabilities. They are often easy to find, and
easy to exploit. They are dangerous because they will frequently
allow attackers to completely take over the software, steal data, or
prevent the software from working at all.
The Top 25 list is a tool for education and awareness to help
programmers to prevent the kinds of vulnerabilities that plague the
software industry, by identifying and avoiding all-too-common mistakes
that occur before software is even shipped. Software customers can
use the same list to help them to ask for more secure software.
Researchers in software security can use the Top 25 to focus on a
narrow but important subset of all known security weaknesses.
Finally, software managers and CIOs can use the Top 25 list as a
measuring stick of progress in their efforts to secure their software.
The list is the result of collaboration between the SANS Institute,
MITRE, and many top software security experts in the US and Europe.
It leverages experiences in the development of the SANS Top 20 attack
vectors (http://www.sans.org/top20/) and MITRE's Common Weakness
Enumeration (CWE) (http://cwe.mitre.org/). MITRE maintains the CWE
web site, with the support of the US Department of Homeland Security's
National Cyber Security Division, presenting detailed descriptions of
the top 25 programming errors along with authoritative guidance for
mitigating and avoiding them. The CWE site contains data on more than
800 programming errors, design errors, and architecture errors that
can lead to exploitable vulnerabilities.
The 2010 Top 25 makes substantial improvements to
the 2009 list, but the spirit and goals remain the same. The
structure of the list has been modified to distinguish
mitigations and general secure programming
principles from more concrete weaknesses. This year's Top 25 entries
are prioritized using inputs from over 20 different
organizations, who evaluated each weakness based on prevalence and
importance. The new version introduces focus
profiles that allow developers and other users to select the parts
of the Top 25 that are most relevant to their concerns. The new list
also adds a small set of the most effective
"Monster Mitigations," which help developers to
reduce or eliminate entire groups of the Top 25 weaknesses, as well as
many of the other 800 weaknesses that are documented by CWE. Finally,
many high-level weaknesses from the 2009 list have been replaced with
lower-level variants that are more actionable." – MITRE/SANS
SANS Top 25: http://cwe.mitre.org/top25/(MITRE Mirror)
SANS Top 25: http://www.sans.org/top25-programming-errors/(SANS Mirror)
SANS Top 25 FAQ: http://cwe.mitre.org/top25/faq.html
