Other than for press coverage, I don't really understand the value of the SANS Top 20 Vulnerabilities. As far as I can tell, its basic message is that pretty much everything is vulnerable. Some comments:
- It is not a list of what I would call "vulnerabilities" as much as it is a list of vulnerable programs.
- It doesn't appear to list the vulns in any sort of priority order.
- There doesn't appear to be any qualification to what makes a vulnerability critical, except maybe its existence.
- It seems more like a big laundry list than anything else. (The first two "vulnerabilities" actually contained 22 traditional vulnerabilities).
What I would really enjoy is something more specific about vulnerabilities, their severity, how common they are, the popularity of exploit, etc.
I guess the information is useful just to have organized, I just wish they would have been a bit more specific and a bit more rigorous in their approach. It probably doesn't help having 35 people participating in what appears to be a qualitative process. It would be hard to achieve any type of consensus with a group that large.