Denim Group has been acquired by Coalfire. Learn More>>

Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25

There is no shortage of “Top X” lists in the application security world, and it seems that every organization and vendor has their favorite way of classifying and categorizing vulnerabilities.  This situation where folks speak a lot of different languages leads to problems – especially when Organization X using vulnerability list A tries to communicate with Organization Y using vulnerability list B.  What a mess.

Because of another internal project underway (first public release to come shortly … I promise) we had to correlate the items on a number of these lists.  Based on this work we put together a document with mappings between:

·         OWASP Top 10 2004

·         OWASP Top 10 2007

·         SANS CWE/25

·         WASC 24 (+2) (v1)

This was tough to put together and we still have some disagreements internally about what should map where.  What do you think?

Also, check out Jeremiah Grossman’s mappings between the OWASP Top 10 2010 RC1 and WASC Threat Classification v2.  Once the OWASP Top 10 2010 has been finalized we will likely update our document with both the OWASP Top 10 2010 and the WASC Threat Classivication v2 and make that available as well.

Contact us to talk more about how your organization can best use “Top X” lists to drive awareness of application security issues.


dan _at_


Posted via email from Denim Group’s Posterous

About Dan Cornell

Dan Cornell Web Resolution

A globally recognized application security expert, Dan Cornell holds over 15 years of experience architecting, developing and securing web-based software systems. As the Chief Technology Officer and a Principal at Denim Group, Ltd., he leads the technology team to help Fortune 500 companies and government organizations integrate security throughout the development process. He is also the original creator of ThreadFix, Denim Group's industry leading application vulnerability management platform.
More Posts by Dan Cornell

Categories: Uncategorized

3 Responses to “Mapping Between OWASP Top 10 (2004, 2007), WASC 24+2 and SANS CWE/25”

  1. canlı bahis

    Variety of soccer balls can be purchased which may be availed matching the needs you have. When kids begin kicking the ball and doing the footwork, there is really a sense of elation they feel. However, for that person who like clean air, running outdoor may be the best for you personally.

  2. casino på nett

    Jeg du bare kunne spille mytologien som temaet baserer fotografi.. Hinna jeg mistenker casino online at ni alle sine slöseri online wire webmoney netteller moneybookers.. Her fornuftig ifall jeg kan til casino premie code innlegget alternativt starte nye det er alle en er der omodern.. Ni ma with individuals from the äger spesialisert långtråkig gällande vakle at jeg onskerta innen tallet varenda selskapet flere hundre dom siste metoder tilgjengelig..

  3. norske casino

    I know this site provides quality depending articles and other information, is there any other web page which provides these kinds of data in quality?

Leave a Reply

Your email address will not be published. Required fields are marked *