[Owasp-leaders] ZAPping the OWASP Top 10

Eoin Keary eoin.keary at owasp.org
Fri Aug 29 08:36:10 UTC 2014


It's very useful. Particularly for people new to zap: what can I use to help me find items on the Top 10.
Great stuff Simon. 

Eoin Keary
Owasp Global Board
+353 87 977 2988


On 29 Aug 2014, at 09:21, psiinon <psiinon at gmail.com> wrote:

> Dirk,
> 
> Its definitely ZAP specific, but its not meant to be marketing bumf.
> Its a cheat sheet which helps people understand which ZAP components they should use for detecting vulnerabilities associated with each of the OWASP Top 10 risks.
> Thats something I get asked quite a lot, so I think theres a need for this sort of doc.
> It also states which of the components are automated and which are manual - I'm not trying to imply that ZAP can detect all of the vulnerabilities automatically.
> 
> I'm happy to add a statement to the effect that no black box scanner will find all issues - I always try to stress that ZAP is not a silver bullet.
> 
> Cheers,
> 
> Simon
> 
> 
> On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org> wrote:
>> Hi Simon,
>> 
>> Am 08/28/2014 01:21 PM, schrieb psiinon:
>> > Leaders,
>> >
>> > I often get asked if ZAP scans for the "OWASP Top 10".
>> > As I'm sure you're all aware, its not really possible to automatically scan for all of the vulnerabilities behind the OWASP Top 10 _risks_.
>> >
>> > But I still think its a question that should be answered, and so I've added this page to the OWASP wiki based on input from the ZAP contributors:
>> >
>> > https://www.owasp.org/index.php/ZAPpingTheTop10
>> >
>> > I just wanted to make sure that no one objects before I start publicizing it.
>> 
>> my 2 bits... you basically answered the question yourself
>> though ("As I'm sure you're all aware, its not really possible ...")
>> 
>> You should be clear whether you want to marketing ZAP
>> or whether you want to provide technical insights.
>> 
>> For the latter everybody knows no scanner / tool
>> also if used by a trained professional has nearly complete
>> coverage from the blackbox perspective. It never will.
>> 
>> And to cite others here -- OWASP Top 10 is an
>> awareness document -- it's not complete and
>> by using a scanner / tool you won't get security.
>> This would be insinuated though.
>> 
>> Bottom line: I would not recommend publishing it at
>> all or at least not without modifications.
>> The picture is too simple and misleading. If you really
>> want to do it: Put some of the constraints I mentioned
>> in the wiki, and add what ZAP can't do as of now.
>> And then again have others to have a look.
>> 
>> Cheers! Dirk
>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
> 
> 
> -- 
> OWASP ZAP Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140829/5bd049e9/attachment.html>


More information about the OWASP-Leaders mailing list