Today, the CWE - 2009 CWE/SANS Top 25 Most Dangerous Programming Errors list was released. These top twenty-five CWE entries represent the most important vulnerability categories that all application developers should be aware of. Think of it as a OWASP Top Ten that covers more than just web applications. The existing Common Weakness Enumeration is outstanding but overwhelming. By framing the programming errors in terms of a Top 25, these issues become instantly more accessible. In turn, this establishes a de-facto application security baseline.
What I found most refreshing was the proper use of the term 'Threat Model' in Appendix B: Threat Model for the Skilled, Determined Attacker. Too often the term has been abused by some people to label activities better described as vulnerability analysis or attack modeling. The proper focus of a threat model is the agent or actor that could exploit a vulnerability. It was extremely satisfying to see the threat model explicitly described when it is so often glossed over or ignored completely.