[Owasp-leaders] ZAPping the OWASP Top 10
achim at owasp.org
Thu Aug 28 12:43:26 UTC 2014
additional to Simons suggestion:
there is often the question if this or that tool can find/protect
all OWASP Top 10 vulnerabilities
As Simon said, we all know that it is not possible to find *all* types of
vulnerabilities listed in the Top 10 (i.e. A7 from Top 10 2010).
The same applies to protect against such vulnerabilities (i.e. with a WAF).
Does it make sense to *clearly write* on the Top 10 page, that some vulnerabilities
cannot easily be detected/protected automatically by third party devices/software.
There're so many marketing papers out in the wild, where products claim to find/
protect all. BS.
Am 28.08.2014 13:21, schrieb psiinon:
> I often get asked if ZAP scans for the "OWASP Top 10".
> As I'm sure you're all aware, its not really possible to automatically scan
> for all of the vulnerabilities behind the OWASP Top 10 _risks_.
> But I still think its a question that should be answered, and so I've added
> this page to the OWASP wiki based on input from the ZAP contributors:
> I just wanted to make sure that no one objects before I start publicizing
> Note that the pdf points to the page on the ZAP wiki - I'll change that
> before publicizing it outside of this list.
> Of course if anyone has any suggestions as to features we could add to make
> detecting any vulnerabilities any easier then dont hesitate to get in touch
More information about the OWASP-Leaders