[Owasp-leaders] ZAPping the OWASP Top 10

Aaron Guzman aaron.guzman at owasp.org
Thu Aug 28 17:16:51 UTC 2014


I agree.For example, .access control and proper session management testing
cannot be easily detected by third party devices/software


On Thu, Aug 28, 2014 at 7:44 AM, Timur 'x' Khrotko (owasp) <timur at owasp.org>
wrote:

> +10
> On Aug 28, 2014 3:46 PM, "Achim" <achim at owasp.org> wrote:
>
>> Leaders,
>>
>> additional to Simons suggestion:
>>
>>         there is often the question if this or that tool can find/protect
>>         all OWASP Top 10 vulnerabilities
>>
>> As Simon said, we all know that it is not possible to find *all* types of
>> vulnerabilities listed in the Top 10 (i.e. A7 from Top 10 2010).
>> The same applies to protect against such vulnerabilities (i.e. with a
>> WAF).
>>
>>
>> Does it make sense to *clearly write* on the Top 10 page, that some
>> vulnerabilities
>> cannot easily be detected/protected automatically by third party
>> devices/software.
>>
>> There're so many marketing papers out in the wild, where products claim
>> to find/
>> protect all. BS.
>>
>>
>> Ciao
>> Achim
>>
>>
>> Am 28.08.2014 13:21, schrieb psiinon:
>> > Leaders,
>> >
>> > I often get asked if ZAP scans for the "OWASP Top 10".
>> > As I'm sure you're all aware, its not really possible to automatically
>> scan
>> > for all of the vulnerabilities behind the OWASP Top 10 _risks_.
>> >
>> > But I still think its a question that should be answered, and so I've
>> added
>> > this page to the OWASP wiki based on input from the ZAP contributors:
>> >
>> > https://www.owasp.org/index.php/ZAPpingTheTop10
>> >
>> > I just wanted to make sure that no one objects before I start
>> publicizing
>> > it.
>> >
>> > Note that the pdf points to the page on the ZAP wiki - I'll change that
>> > before publicizing it outside of this list.
>> >
>> > Of course if anyone has any suggestions as to features we could add to
>> make
>> > detecting any vulnerabilities any easier then dont hesitate to get in
>> touch
>> > ;)
>> >
>> > Cheers,
>> >
>> > Simon
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
> Email us to enforce secure link with your mail servers (domain).
> This message may contain confidential information - you should handle it
> accordingly.
> Ez a levél bizalmas információt tartalmazhat, és ekként kezelendő.
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Aaron G
Twitter: @scriptingxss
Linkedin: http://lnkd.in/bds3MgN
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140828/69b7e83c/attachment.html>


More information about the OWASP-Leaders mailing list