[Owasp_cornucopia] OWASP Requirements Numbering

Colin Watson colin.watson at owasp.org
Fri May 10 12:11:53 UTC 2013

The Cornucopia Ecommerce Website Edition card deck references the
Secure Coding Practices Quick Reference Guide (SCPQRG) by requirement
number (1-202). There are no identifiers in the SCPQRG, so I have
produced this XML file that defines IDs for each check box in v2.0 of


This was uploaded as a ZIp because XML is not allowed. Each item has an ID like:


The ID is unique and has no other meaning. New items are simply given
the next higher unused number. Categorisations of any type can be
applied to any/all items.

The file does not duplicate all the content in the SCPQRG, but is
intended to be used for cross-referencing. In fact the requirement
titles (preferred terms) could perhaps be shortened, with the detail
left in the SCPQRG. I have added mappings to the SCPQRG categories and
some more general appsec security principles e.g.

    <preferredterm lang="en">Disable auto complete features on forms
expected to contain sensitive information, including
     <categorisation type="principle">Session Management</categorisation>
     <categorisation type="scpqrg">Data Protection</categorisation>

This XML format is not set or anything special, and it might make
sense for it to be compatible with ISO 25964, but that is further down
the line. It will be easy to use XSLT to convert the file to a new
schema or into other formats such as YAML.

I intend to add mapping to other identities such as those used in the
OWASP Testing Guide v3 and ASVS.


More information about the Owasp_cornucopia mailing list