Many weaknesses were considered for inclusion on the Top 25, but some did not make it to the final list. Some were not considered to be severe enough; others were not considered to be prevalent enough. Users of the Top 25 should seriously consider including these weaknesses in their analyses.
Weaknesses covered by more general entries (12)
- These on-the-cusp items were omitted because they are already indirectly covered on the Top 25, usually by a more general entry. However, these would be important to consider as individual items.
Weaknesses that did not have sufficient prevalence or severity (11)
- With respect to severity, some Top 25 users may have a significantly different threat model. For example, software uptime may be critical to consumers who operate in critical infrastructure or e-commerce environments. However, in the threat model being used by the Top 25, availability is regarded as slightly less important than integrity and confidentiality.
With respect to prevalence, some Top 25 items may not be applicable to the class of software being developed. For example, cross-site scripting is specific to the Web, although analogs exist in other technologies. In other cases, developers may have already eliminated much of the Top 25 in past efforts, so they want to look for other weaknesses that may still be present in their software.
DACS Gold Practice Initiative
