[Owasp-leaders] ZAPping the OWASP Top 10

psiinon psiinon at gmail.com
Fri Aug 29 08:21:28 UTC 2014


Dirk,

Its definitely ZAP specific, but its not meant to be marketing bumf.
Its a cheat sheet which helps people understand which ZAP components they
should use for detecting vulnerabilities associated with each of the OWASP
Top 10 risks.
Thats something I get asked quite a lot, so I think theres a need for this
sort of doc.
It also states which of the components are automated and which are manual -
I'm not trying to imply that ZAP can detect all of the vulnerabilities
automatically.

I'm happy to add a statement to the effect that no black box scanner will
find all issues - I always try to stress that ZAP is not a silver bullet.

Cheers,

Simon


On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org> wrote:

> Hi Simon,
>
> Am 08/28/2014 01:21 PM, schrieb psiinon:
> > Leaders,
> >
> > I often get asked if ZAP scans for the "OWASP Top 10".
> > As I'm sure you're all aware, its not really possible to automatically
> scan for all of the vulnerabilities behind the OWASP Top 10 _risks_.
> >
> > But I still think its a question that should be answered, and so I've
> added this page to the OWASP wiki based on input from the ZAP contributors:
> >
> > https://www.owasp.org/index.php/ZAPpingTheTop10
> >
> > I just wanted to make sure that no one objects before I start
> publicizing it.
>
> my 2 bits... you basically answered the question yourself
> though ("As I'm sure you're all aware, its not really possible ...")
>
> You should be clear whether you want to marketing ZAP
> or whether you want to provide technical insights.
>
> For the latter everybody knows no scanner / tool
> also if used by a trained professional has nearly complete
> coverage from the blackbox perspective. It never will.
>
> And to cite others here -- OWASP Top 10 is an
> awareness document -- it's not complete and
> by using a scanner / tool you won't get security.
> This would be insinuated though.
>
> Bottom line: I would not recommend publishing it at
> all or at least not without modifications.
> The picture is too simple and misleading. If you really
> want to do it: Put some of the constraints I mentioned
> in the wiki, and add what ZAP can't do as of now.
> And then again have others to have a look.
>
> Cheers! Dirk
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140829/9abfaf57/attachment.html>


More information about the OWASP-Leaders mailing list