[Owasp-leaders] ZAPping the OWASP Top 10

Owen Pendlebury owen.pendlebury at owasp.org
Fri Aug 29 08:28:12 UTC 2014


Hi Simon,

Looks good

Could this be something that's incorporated into other projects like
Security Shepherd and WebGoat in a tutorial fashion for training purposes?
ie Cross reference your cheat sheet with the levels!


On 29 August 2014 09:21, psiinon <psiinon at gmail.com> wrote:

> Dirk,
>
> Its definitely ZAP specific, but its not meant to be marketing bumf.
> Its a cheat sheet which helps people understand which ZAP components they
> should use for detecting vulnerabilities associated with each of the OWASP
> Top 10 risks.
> Thats something I get asked quite a lot, so I think theres a need for this
> sort of doc.
> It also states which of the components are automated and which are manual
> - I'm not trying to imply that ZAP can detect all of the vulnerabilities
> automatically.
>
> I'm happy to add a statement to the effect that no black box scanner will
> find all issues - I always try to stress that ZAP is not a silver bullet.
>
> Cheers,
>
> Simon
>
>
> On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org> wrote:
>
>> Hi Simon,
>>
>> Am 08/28/2014 01:21 PM, schrieb psiinon:
>> > Leaders,
>> >
>> > I often get asked if ZAP scans for the "OWASP Top 10".
>> > As I'm sure you're all aware, its not really possible to automatically
>> scan for all of the vulnerabilities behind the OWASP Top 10 _risks_.
>> >
>> > But I still think its a question that should be answered, and so I've
>> added this page to the OWASP wiki based on input from the ZAP contributors:
>> >
>> > https://www.owasp.org/index.php/ZAPpingTheTop10
>> >
>> > I just wanted to make sure that no one objects before I start
>> publicizing it.
>>
>> my 2 bits... you basically answered the question yourself
>> though ("As I'm sure you're all aware, its not really possible ...")
>>
>> You should be clear whether you want to marketing ZAP
>> or whether you want to provide technical insights.
>>
>> For the latter everybody knows no scanner / tool
>> also if used by a trained professional has nearly complete
>> coverage from the blackbox perspective. It never will.
>>
>> And to cite others here -- OWASP Top 10 is an
>> awareness document -- it's not complete and
>> by using a scanner / tool you won't get security.
>> This would be insinuated though.
>>
>> Bottom line: I would not recommend publishing it at
>> all or at least not without modifications.
>> The picture is too simple and misleading. If you really
>> want to do it: Put some of the constraints I mentioned
>> in the wiki, and add what ZAP can't do as of now.
>> And then again have others to have a look.
>>
>> Cheers! Dirk
>>
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
Owen Pendlebury
OWASP Ireland-Dublin Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140829/1dda2856/attachment-0001.html>


More information about the OWASP-Leaders mailing list