The new list of the top 25 most dangerous software weaknesses from the Homeland Security Systems Engineering and Development Institute contains many well-known vulnerabilities that have been targeted by cybercriminals for over a decade now. Injections top the list of the OWASP Top 10 Web Application Security Risks, and feature prominently on this list as well. Many other items on the list also match closely with the OWASP Top 10. These aren’t new risks, so why have organizations failed to find these problems before releasing code to production, or failed to protect these vulnerabilities against attack in production? Unfortunately, these problems are often hard to find during testing, and sometimes they arise and are only a problem when different application modules interact, making them even harder to detect. The National Institute of Standards and Technologies (NIST) has recognized these shortcomings as well, and as a result, recently updated draft 5 of the SP800-53 application security framework to include RASP (Runtime Application Self Protection) and IAST (Interactive Application Security Testing) to better protect against these critical software weaknesses.  Read Less