[Owasp-leaders] ZAPping the OWASP Top 10

Achim achim at owasp.org
Thu Aug 28 12:43:26 UTC 2014


additional to Simons suggestion:

	there is often the question if this or that tool can find/protect
	all OWASP Top 10 vulnerabilities

As Simon said, we all know that it is not possible to find *all* types of
vulnerabilities listed in the Top 10 (i.e. A7 from Top 10 2010).
The same applies to protect against such vulnerabilities (i.e. with a WAF).

Does it make sense to *clearly write* on the Top 10 page, that some vulnerabilities
cannot easily be detected/protected automatically by third party devices/software.

There're so many marketing papers out in the wild, where products claim to find/
protect all. BS.


Am 28.08.2014 13:21, schrieb psiinon:
> Leaders,
> I often get asked if ZAP scans for the "OWASP Top 10".
> As I'm sure you're all aware, its not really possible to automatically scan
> for all of the vulnerabilities behind the OWASP Top 10 _risks_.
> But I still think its a question that should be answered, and so I've added
> this page to the OWASP wiki based on input from the ZAP contributors:
> https://www.owasp.org/index.php/ZAPpingTheTop10
> I just wanted to make sure that no one objects before I start publicizing
> it.
> Note that the pdf points to the page on the ZAP wiki - I'll change that
> before publicizing it outside of this list.
> Of course if anyone has any suggestions as to features we could add to make
> detecting any vulnerabilities any easier then dont hesitate to get in touch
> ;)
> Cheers,
> Simon

More information about the OWASP-Leaders mailing list