[Owasp-leaders] ZAPping the OWASP Top 10

Dirk Wetter dirk at owasp.org
Thu Aug 28 19:16:48 UTC 2014

Hi Simon,

Am 08/28/2014 01:21 PM, schrieb psiinon:
> Leaders,
> I often get asked if ZAP scans for the "OWASP Top 10".
> As I'm sure you're all aware, its not really possible to automatically scan for all of the vulnerabilities behind the OWASP Top 10 _risks_.
> But I still think its a question that should be answered, and so I've added this page to the OWASP wiki based on input from the ZAP contributors:
> https://www.owasp.org/index.php/ZAPpingTheTop10
> I just wanted to make sure that no one objects before I start publicizing it.

my 2 bits... you basically answered the question yourself
though ("As I'm sure you're all aware, its not really possible ...")

You should be clear whether you want to marketing ZAP
or whether you want to provide technical insights.

For the latter everybody knows no scanner / tool
also if used by a trained professional has nearly complete
coverage from the blackbox perspective. It never will.

And to cite others here -- OWASP Top 10 is an
awareness document -- it's not complete and
by using a scanner / tool you won't get security.
This would be insinuated though.

Bottom line: I would not recommend publishing it at
all or at least not without modifications.
The picture is too simple and misleading. If you really
want to do it: Put some of the constraints I mentioned
in the wiki, and add what ZAP can't do as of now.
And then again have others to have a look.

Cheers! Dirk

More information about the OWASP-Leaders mailing list