[Owasp-leaders] ZAPping the OWASP Top 10

psiinon psiinon at gmail.com
Fri Aug 29 08:31:23 UTC 2014


Dave,

I was very careful not to make any statement regarding how effectively ZAP
can detect any of the Top 10 for the reasons you talk about :)
As I mentioned to Dirk, I get a lot of questions from people asking about
how they should use ZAP to 'detect the OWASP Top 10' so this is a cheat
sheet showing which ZAP components are relevant for each of the Top 10.
Its certainly _not_ a complete guide on how to use ZAP, or any sort of
indication that ZAP is better than any other tool/technique!
I wanted to keep this doc short and to the point, and ideally in 2
printable pages.
Theres plenty of scope for more documentation in this area.

I think the Testing Guide is a much better place for explaining the
different tools and techniques that can be used to detect the full range of
vulnerabilities.
And I think there could well be a place for another cheat sheet that gives
a summary of the best techniques and _types_ of tools for identifying
vulnerabilities associated with each of the Top 10. But I dont think it
should be in this doc :)

Cheers,

Simon


On Fri, Aug 29, 2014 at 5:46 AM, Dave Wichers <dave.wichers at owasp.org>
wrote:

> Simon,
>
>
>
> I like this idea. I’m all for transparency. The more the better.
>
>
>
> But one thing that’s needed is clarity on how effective and complete the
> techniques/aids are. For example, if any tool has 1 capability in each of
> the 10 areas, then some (even many) people might presume that the tool can
> detect all issues in all 10 areas, where in reality, the tool can only help
> in all ten areas, and the question is, how much? And that’s hard to
> quantify.
>
>
>
> The question is, is it worth trying (i.e., does that make it more clear).
>
>
>
> For example, if we said (just making something up), that ZAP could help
> identify a couple of small weakness in the area of authentication, but
> overall can’t do very much. So lots of manual design analysis and testing
> is still required. But it can be really helpful finding many XSS flaws, so
> less additional manual effort is required. Does that make it more clear? I
> think it does on one hand, but because its so hard to quantify and
> describe, it muddies the water on the other hand.
>
>
>
> -Dave
>
>
>
> p.s. I know I’ve done general analysis of which areas of the Top 10 lend
> themselves (or not) to automated analysis. I’d just have to find it again.
> It might be reflected in what went into ASVS version 1.
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *psiinon
> *Sent:* Thursday, August 28, 2014 7:22 AM
> *To:* owasp-leaders at lists.owasp.org
> *Subject:* [Owasp-leaders] ZAPping the OWASP Top 10
>
>
>
> Leaders,
>
> I often get asked if ZAP scans for the "OWASP Top 10".
>
> As I'm sure you're all aware, its not really possible to automatically
> scan for all of the vulnerabilities behind the OWASP Top 10 _risks_.
>
> But I still think its a question that should be answered, and so I've
> added this page to the OWASP wiki based on input from the ZAP contributors:
>
>
> https://www.owasp.org/index.php/ZAPpingTheTop10
>
> I just wanted to make sure that no one objects before I start publicizing
> it.
>
> Note that the pdf points to the page on the ZAP wiki - I'll change that
> before publicizing it outside of this list.
>
> Of course if anyone has any suggestions as to features we could add to
> make detecting any vulnerabilities any easier then dont hesitate to get in
> touch ;)
>
>
> Cheers,
>
> Simon
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140829/0ea190a7/attachment.html>


More information about the OWASP-Leaders mailing list