Annual SANS Top-20 misses some points.
Related to yesterdays post on vulnerability date of birth SANS today presented annual SANS Top-20 2007 Security Risks. I like these reports because they summarizes the most critical public vulnerablities the current year, along with the vulnerability annoncement and all. But it also has some serious issues. From the reports executive summary
Just over the last year, the kinds of vulnerabilities that are being exploited are very different from the ones being exploited in the past.
Really? They are referring to vulnerabilities in client applications and web services, which are essentially just input validation flaws just as format string attacks and many buffer overflows. What is different is that the threat are targeting “very different software” but the the vulnerabilities are not “very different”.
They also doesn’t seem to understand the Date of Birth of a vulnerability:
We have seen significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, in office software, in media players and in other desktop applications.
What they mean growth in the number of disclosed client-side vulnerabilities, because applications like Firefox, IE 6 and Acrobat Reader were all developed in 2006 and as such should be featured in those statistics if they want to express their growth. Here they suddenly get it:
Web application vulnerabilities in open-source as well as custom-built applications account for almost half the total number of vulnerabilities being discovered in the past year.
I think it’s sloppy by SANS to not take care when choosing their words. It has become something that is almost expected. Besides that, the report features some good content.