In the wake of the recent LulzSec 50 day hacking spree that left many high profile companies and organizations scrambling, DHS announced on Monday June 27, 2011, "detailed guidance" on the top 25 software vulnerabilities.
The "Common Weakness Enumeration" list was developed in collaboration among DHS, Mitre, and SANS as well as numerous other private sector organizations.
In addition to the list, there is also a scoring system and risk analysis framework that can be used to prioritize risk mitigation activities.
Not surprising, SQL Injection flaws top the DHS list which is closely aligned with the vulnerabilities identified in the OWASP Top 10.
Common flaws between the two lists include injection, cross-site scripting (XSS), authentication flaws, and cross-site request forgery (CSRF).
While the generation of these lists is laudable, it is quite another thing for companies and organizations to actually continuously test their environments for these flaws and implement sound security controls.
While there are the proverbial "low hanging fruit" types of fixes there are no quick fixes for changing corporate cultures.
A clear example of this is Sony one of the most high profile victims of the LulzSec breaches.
Sony has 1,000 subsidiaries and employs approximately 168,000 people and for some unknown reason has never had a CISO function!