Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25

There is no shortage of “Top X” lists in the application security world, and it seems that every organization and vendor has their favorite way of classifying and categorizing vulnerabilities.  This situation where folks speak a lot of different languages leads to problems – especially when Organization X using vulnerability list A tries to communicate with Organization Y using vulnerability list B.  What a mess.

Because of another internal project underway (first public release to come shortly … I promise) we had to correlate the items on a number of these lists.  Based on this work we put together a document with mappings between:

·         OWASP Top 10 2004

·         OWASP Top 10 2007

·         SANS CWE/25

·         WASC 24 (+2) (v1)

This was tough to put together and we still have some disagreements internally about what should map where.  What do you think?

Also, check out Jeremiah Grossman’s mappings between the OWASP Top 10 2010 RC1 and WASC Threat Classification v2.  Once the OWASP Top 10 2010 has been finalized we will likely update our document with both the OWASP Top 10 2010 and the WASC Threat Classivication v2 and make that available as well.

Contact us to talk more about how your organization can best use “Top X” lists to drive awareness of application security issues.

–Dan

dan _at_ denimgroup.com

@danielcornell

Posted via email from Denim Group’s Posterous

About dancornell

Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader. Dan has speaks at such international conferences as RSA, ROOTs in Norway and OWASP AppSec EU.

3 Responses to "Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25"

Leave a reply