[Owasp-leaders] ZAPping the OWASP Top 10
owen.pendlebury at owasp.org
Fri Aug 29 08:28:12 UTC 2014
Could this be something that's incorporated into other projects like
Security Shepherd and WebGoat in a tutorial fashion for training purposes?
ie Cross reference your cheat sheet with the levels!
On 29 August 2014 09:21, psiinon <psiinon at gmail.com> wrote:
> Its definitely ZAP specific, but its not meant to be marketing bumf.
> Its a cheat sheet which helps people understand which ZAP components they
> should use for detecting vulnerabilities associated with each of the OWASP
> Top 10 risks.
> Thats something I get asked quite a lot, so I think theres a need for this
> sort of doc.
> It also states which of the components are automated and which are manual
> - I'm not trying to imply that ZAP can detect all of the vulnerabilities
> I'm happy to add a statement to the effect that no black box scanner will
> find all issues - I always try to stress that ZAP is not a silver bullet.
> On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org> wrote:
>> Hi Simon,
>> Am 08/28/2014 01:21 PM, schrieb psiinon:
>> > Leaders,
>> > I often get asked if ZAP scans for the "OWASP Top 10".
>> > As I'm sure you're all aware, its not really possible to automatically
>> scan for all of the vulnerabilities behind the OWASP Top 10 _risks_.
>> > But I still think its a question that should be answered, and so I've
>> added this page to the OWASP wiki based on input from the ZAP contributors:
>> > https://www.owasp.org/index.php/ZAPpingTheTop10
>> > I just wanted to make sure that no one objects before I start
>> publicizing it.
>> my 2 bits... you basically answered the question yourself
>> though ("As I'm sure you're all aware, its not really possible ...")
>> You should be clear whether you want to marketing ZAP
>> or whether you want to provide technical insights.
>> For the latter everybody knows no scanner / tool
>> also if used by a trained professional has nearly complete
>> coverage from the blackbox perspective. It never will.
>> And to cite others here -- OWASP Top 10 is an
>> awareness document -- it's not complete and
>> by using a scanner / tool you won't get security.
>> This would be insinuated though.
>> Bottom line: I would not recommend publishing it at
>> all or at least not without modifications.
>> The picture is too simple and misleading. If you really
>> want to do it: Put some of the constraints I mentioned
>> in the wiki, and add what ZAP can't do as of now.
>> And then again have others to have a look.
>> Cheers! Dirk
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
OWASP Ireland-Dublin Chapter Lead
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders