Cyber Resilience

Cross-walk release · 10 June 2026

CWE ↔ OWASP ASVS 5.0

A two-way mapping between CWE and OWASP ASVS 5.0: 672 related pairs, 1344 directional rows, LLM-authored (is prevented by · prevents) and human-QA’d (cohort bulk_after_review_2026_06_08 where applicable). ← all releases

What we add (no authoritative mapping exists)

No standards body publishes a CWE ↔ OWASP ASVS 5.0 mapping. This release is our own contribution: a bidirectional, extent-rated cross-walk an analyst can use to pivot between the two frameworks. The reliability and abstraction measures below describe its shape; there is no external mapping to diff against.

Reliability

CWE → OWASP ASVS 5.0OWASP ASVS 5.0 → CWE
Completeness (full + mostly) 21.4% 55.6%
Scope — no counterpart (none) 49.9% 28.6%
Counterpart coverage 275 mapped 273 of 345 (79.1%)
Reverse-presence (bidirectionality) 99.7%
Extent-rank correlation (forward vs reverse) 0.826

Completeness = share of present edges rated full or mostly. Scope = share of pairs with no coverage in that direction (a high value flags entities the other framework doesn’t reach). Reverse-presence = of forward mappings, how many also map back.

Abstraction

CWEOWASP ASVS 5.0
Breadth (avg counterparts per entity) 1.712.19
Depth (avg coverage strength, 0–3) 1.271.75

Verdict: OWASP ASVS 5.0 sits at a higher level of abstraction (fans out more).

CWE abstraction: Base 164, Variant 65, Class 38, Pillar 5, Compound 3

Raw data

Download the full mapping (every directional edge + the metrics block): JSON · CSV · XLSX

JSON is full-fidelity; CSV is one row per directional edge; XLSX has edges / metrics / diff sheets.