Vulnerability Information Sources
Start course

This course covers section one of CSSLP Domain Four: Common Software Vulnerabilities and Countermeasures. You'll learn the elements, ideas, concepts, and principles about what issues must be considered before embarking on a building program of secure software.

Learning Objectives

  • Understand programming fundamentals
  • Become familiar with different development methodologies
  • Learn about common software attacks and the means of exploitation

Intended Audience

This course is intended for anyone looking to develop secure software as well as those studying for the CSSLP certification.


Any experience relating to information security would be advantageous, but not essential. All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


So beginning with Vulnerability Information Sources here we have one that is very common known to many. It is the SANS top 25 shows the current standing of it in year 2021. This originally came from the MITRE Corporation a spinoff from MIT University and it remains a coal collaborative effort of many contributors worldwide. Now looking at the table, you'll see that on the left hand side is the current 2021 rack. And on the far right hand side this represents the change from 2020. Then of course we have starting from the left to right the ID the name of the vulnerability and the respective scores.

Now looking down this list you'll see the first 12 of the total 25. The elements that we see here in my experience have relatively little changes over the years and by years I mean over the past decade or more because they continue to be quite prevalent in the world of hackers hacking things that appear to them on the web as targets. They may change their orders slightly depending upon fashion and the ease of finding these various options. But they seldom leave the top 25. And in fact most of the top 12 you see here have seldom been out of the top 10.

Now the SANS top 25 gives us insight into the various attacks that are possible. That hackers specifically professional ones are looking for. And unfortunately they're not disappointed nearly often enough. But these are the current ones. And unfortunately, they still find their themselves quite prevalent in the marketplace presenting easy targets for the hackers. Now the SANS top 25 is separated into three broad categories. We have secure interaction between components which includes weaknesses that relate to insecure ways in which data is sent and received and processed between components modules, programs, processes, threads, or systems.

So essentially secure interaction taking place at all levels within a system. Second category is risky resource management and this includes weaknesses that relate to ways in which the software does not properly manage the creation, usage transfer or destruction of important system resources. Primary of which in this particular context is the management of memory. Our third category is poor defenses. Now this includes weaknesses that relate to defensive techniques that are often misused, abused or simply ignored. And this would include misconfiguration of these. Of all of these, it is quite possible that poorest defenses has the smallest and least strong defense for why it's not present because we know we need to do these and yet they don't seem to be used or used properly nearly often enough.

Another one of our popular vulnerability information sources is The OWASP Top 10. Now this also is an independent global community of web security professionals and developers. Now the top 10 identifies and categorizes the most commonly occurring and the most commonly attacked web system vulnerabilities. Most of which we find on examination are avoidable. And again we have the complete list and the details associated with it 2017 and now the 2021 version and the arrows crossing the gap between the two columns illustrates, the movement of these particular attack forms or weakness forms from higher to lower and the reverse on the 2021 list. For example, we have Broken Access Control at five on 2017 and that has moved up to the top spot on 2021 Sensitive data exposure has moved from slot three to slot two injection attacks have moved from seven to three insecure design seems to remain fairly common.

At level four in 2021, five Security misconfiguration always known to be a particular weakness found in systems has made a slight move upward to five from six and so on down the list. But again, what we see from 2017 to 2021 reflects that they have not changed that much meaning that a lot of them are still present and exploited. We have of course the common vulnerabilities enumeration known as the CVE. Now the CVE has as its mission to identify, define and catalog publicly disclosed cybersecurity vulnerabilities. And these are typically the ones that are published by the makers of the relative software.

Now this is still operated by the MITRE Corporation but in with US Department of Homeland Security through their Cybersecurity and Infrastructure Security Agency. The common vulnerability scoring system which is a counterpart at NIST represents a scoring system that is an open framework for communicating the characteristics and the severity of software vulnerabilities. Now the CVSS presents three metrics groups base, temporal and environmental. And this is well suited as the standard measurement system for industries, organizations and governments that need accurate and consistent vulnerability severity scores as such the CVSS has two common uses. Both of which are quite important because it allows one to examine one's own systems and decide on the severity of vulnerabilities that are discovered there but also to give a factoring from an independent source of the prioritization of vulnerability for remediation activities. Now the National Vulnerability Database the NVD will provide CVSS scores for all the known vulnerabilities that are published.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.

Covered Topics