Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25


There is no shortage of “Top X” lists in the application security world, and it seems that every organization and vendor has their favorite way of classifying and categorizing vulnerabilities.  This situation where folks speak a lot of different languages leads to problems – especially when Organization X using vulnerability list A tries to communicate with Organization Y using vulnerability list B.  What a mess.

Because of another internal project underway (first public release to come shortly … I promise) we had to correlate the items on a number of these lists.  Based on this work we put together a document with mappings between:

·         OWASP Top 10 2004

·         OWASP Top 10 2007

·         SANS CWE/25

·         WASC 24 (+2) (v1)

This was tough to put together and we still have some disagreements internally about what should map where.  What do you think?

Also, check out Jeremiah Grossman’s mappings between the OWASP Top 10 2010 RC1 and WASC Threat Classification v2.  Once the OWASP Top 10 2010 has been finalized we will likely update our document with both the OWASP Top 10 2010 and the WASC Threat Classivication v2 and make that available as well.

Contact us to talk more about how your organization can best use “Top X” lists to drive awareness of application security issues.


dan _at_


Posted via email from Denim Group’s Posterous

About Dan Cornell

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As Chief Technology Officer and Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process.

3 Responses to "Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25"

Leave a reply