You may have seen that the latest SANS Top 20 was released yesterday. You may also notice I am listed as one of several dozen "experts" (cough) who "helped create" the list. Based on last year's list, I thought I might join the development process for the latest Top 20. Maybe instead of complaining once the list was published, I could try to influence the process from inside?
First let me say that project lead Rohit Dhamankar did a good job considering the nature of the task. He even made a last-minute effort to solicit my feedback, and some of my comments altered the categories you now see in the Top 20. I thank him for that.
As far as the nature of the list goes, it's important to realize that it's based on a bunch of people's opinions. There is no analysis of past vulnerability trends or conclusions based on real data, like the Vulnerability Type Distribution I mentioned earlier. At the point where I realized people were just going to write up their thoughts on various problems (Internet Explorer, Mac OS X, etc.) I left the project. Rohit emailed me early this week, but I was formally done in early October.
If you think a bunch of people's opinions is worthwhile, then you may find the Top 20 useful. I think the majority of the Top 20's utility, such as it is, derives from name recognition. If that can help influence your organization's management, then I guess it is helpful.
At the very least, the newest Top 20 is a very informative document with plenty of references. I would expect most security practitioners to understand or at least recognize everything on the list. I don't think the list is as "actionable" as the original Top 10, which listed specific vulnerabilities (e.g., "RDS security hole in IIS," CVE-1999-1011) that you needed to patch now.
The latest Top 20 has hundreds of CVE entries, and as such is more of a meta-description of Internet targets. In that respect I like the fact it's called an "attack targets" document, since there's nothing inherently "vulnerable" about, say, Mac OS X. Instead, Mac OS X is being attacked.
What do you think of the new list?