WASC WSTCv2 Mapping Proposal

Внося последние штришки в статистику уязвимостей web-приложений за 2009 год (дата публикации которого в этом году как-то слишком затянулась), неожиданно для себя обнаружил отсутствие сопоставления названий уязвимостей WASC WSTCv2к SANS/CWE Top 25 2010. За неимением подобного сопоставления на официальном ресурсе [ 1], предлагаю свою версию. name='more'> RankScoreCWE IDCWE/SANS NAMEWASC NAMEWASC ID[1]346 CWE-79Failure to Preserve Web Page Structure ('Cross-site Scripting')Cross-Site Scripting WASC-08[2]330 CWE-89Improper Sanitization of Special Elements used in an SQL Command ('SQL Injection')SQL Injection WASC-19[3]273 CWE-120Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')Buffer Overflow WASC-07[4]261 CWE-352Cross-Site Request Forgery (CSRF)Cross-site Request Forgery WASC-09[5]219 CWE-285Improper Access Control (Authorization)Insufficient Authorization WASC-02[6]202 CWE-807Reliance on Untrusted Inputs in a Security DecisionInsufficient Authorization WASC-02[7]197 CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')Path Traversal WASC-33[8]194 CWE-434Unrestricted Upload of File with Dangerous Type[9]188 CWE-78Improper Sanitization of Special Elements used in an OS Command ('OS Command Injection')OS Commanding WASC-31[10]188 CWE-311Missing Encryption of Sensitive DataInsufficient Transport Layer Protection WASC-04[11]176 CWE-798Use of Hard-coded Credentials[12]158 CWE-805Buffer Access with Incorrect Length ValueBuffer Overflow WASC-07[13]157 CWE-98Improper Control of Filename for Include/Require Statement in PHP Program ('PHP File Inclusion')Path Traversal WASC-33[14]156 CWE-129Improper Validation of Array Index[15]155 CWE-754Improper Check for Unusual or Exceptional Conditions[16]154 CWE-209Information Exposure Through an Error MessageInformation Leakage WASC-13[17]154 CWE-190Integer Overflow or WraparoundInteger Overflows WASC-03[18]153 CWE-131Incorrect Calculation of Buffer SizeBuffer Overflow WASC-07[19]147 CWE-306Missing Authentication for Critical FunctionInsufficient Authentication WASC-01[20]146 CWE-494Download of Code Without Integrity CheckRemote File Inclusion WASC-05[21]145 CWE-732Incorrect Permission Assignment for Critical ResourceImproper Filesystem Permissions WASC-17[22]145 CWE-770Allocation of Resources Without Limits or ThrottlingDenial of Service WASC-10[23]142 CWE-601URL Redirection to Untrusted Site ('Open Redirect')URl Redirector Abuse WASC-38[24]141 CWE-327Use of a Broken or Risky Cryptographic AlgorithmCredential/Session Prediction WASC-18[25]138 CWE-362Race ConditionInsufficient Process Validation WASC-40