[Owasp-leaders] ZAPping the OWASP Top 10

Dave Wichers dave.wichers at owasp.org
Fri Aug 29 04:46:10 UTC 2014



I like this idea. I’m all for transparency. The more the better.


But one thing that’s needed is clarity on how effective and complete the techniques/aids are. For example, if any tool has 1 capability in each of the 10 areas, then some (even many) people might presume that the tool can detect all issues in all 10 areas, where in reality, the tool can only help in all ten areas, and the question is, how much? And that’s hard to quantify.


The question is, is it worth trying (i.e., does that make it more clear).


For example, if we said (just making something up), that ZAP could help identify a couple of small weakness in the area of authentication, but overall can’t do very much. So lots of manual design analysis and testing is still required. But it can be really helpful finding many XSS flaws, so less additional manual effort is required. Does that make it more clear? I think it does on one hand, but because its so hard to quantify and describe, it muddies the water on the other hand.




p.s. I know I’ve done general analysis of which areas of the Top 10 lend themselves (or not) to automated analysis. I’d just have to find it again. It might be reflected in what went into ASVS version 1.


From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of psiinon
Sent: Thursday, August 28, 2014 7:22 AM
To: owasp-leaders at lists.owasp.org
Subject: [Owasp-leaders] ZAPping the OWASP Top 10



I often get asked if ZAP scans for the "OWASP Top 10".

As I'm sure you're all aware, its not really possible to automatically scan for all of the vulnerabilities behind the OWASP Top 10 _risks_.

But I still think its a question that should be answered, and so I've added this page to the OWASP wiki based on input from the ZAP contributors:


I just wanted to make sure that no one objects before I start publicizing it.

Note that the pdf points to the page on the ZAP wiki - I'll change that before publicizing it outside of this list.

Of course if anyone has any suggestions as to features we could add to make detecting any vulnerabilities any easier then dont hesitate to get in touch ;)



OWASP ZAP <https://www.owasp.org/index.php/ZAP>  Project leader

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140829/d40d70c3/attachment-0001.html>

More information about the OWASP-Leaders mailing list