A colleague of mine asked me to collaborate on a list of the top 10 security threats for 2008. Naturally, I did a bit of research and noticed that many of the folks who publish similar lists often confuse security threats and security vulnerabilities.
For example, here is a post by The SANS Institute, The Top 10 Most Critical Internet Security Threats – (2000-2001 Archive), where they mistakenly list security vulnerabilities as threats.
To be more precise, I reference our 2001 MILCOM paper, Defense-In-Depth Revisited: Qualitative Risk Analysis Methodology for Complex Network-Centric Operations, where we are careful to define these terms:
Vulnerability: A characteristic of the system (e.g. a flaw, bug or feature) that provides a means of exploitation.
Threat: The possible existence of an entity – person or process – that could exploit the vulnerability.
OWASP gets it right. Their Top Ten project does a good job of listing their idea of the top ten vulnerabilities of 2007. For example, Cross Site Scripting (XSS), Injection Flaws, and Malicious File Execution are all correctly listed as vulnerabilities.
A threat, for example, would be “a criminal interested in stealing your password or identity” or “a terrorist looking to shut down a power plant”.
McAfee does an acceptable, but imperfect, job with their McAfee’s Top Ten Security Threats for 2007. Notice that in their list, they actually make a common mistake, listing vulnerabilties as a threat when they say ,”Vulnerabilities will continue to cause concern fueled by the underground market for vulnerabilities.”
Vulnerabilties are not threats, they are vulnerabilties.
Stay tuned for more on the top ten security threats for 2008.