There is no shortage of “Top X” lists in the application security world, and it seems that every organization and vendor has their favorite way of classifying and categorizing vulnerabilities. This situation where folks speak a lot of different languages leads to problems – especially when Organization X using vulnerability list A tries to communicate with Organization Y using vulnerability list B. What a mess.
Because of another internal project underway (first public release to come shortly … I promise) we had to correlate the items on a number of these lists. Based on this work we put together a document with mappings between:
This was tough to put together and we still have some disagreements internally about what should map where. What do you think?
Also, check out Jeremiah Grossman’s mappings between the OWASP Top 10 2010 RC1 and WASC Threat Classification v2. Once the OWASP Top 10 2010 has been finalized we will likely update our document with both the OWASP Top 10 2010 and the WASC Threat Classivication v2 and make that available as well.
dan _at_ denimgroup.com