[Owasp-leaders] ZAPping the OWASP Top 10
psiinon at gmail.com
Fri Aug 29 08:36:17 UTC 2014
I'd be delighted for any ZAP resources to be reused in any OWASP projects
(and non OWASP ones for that matter;).
If you do reuse any ZAP material then it would be great to know - that way
we can reference its use and also let you know if and when it changes.
This particular doc is likely to change reasonably frequently, which is why
I included a date in the printed version.
Also please let me know if you'd like this or any other ZAP resource in a
more useful format.
I think that in general we (OWASP) are not very good at making our
resources easy to reuse.
For example, I'd love to be able to pull out parts of the Testing Guide to
include with ZAP, but right now thats not very practical. I am talking with
Andrew Muller about making this much easier.
On Fri, Aug 29, 2014 at 9:28 AM, Owen Pendlebury <owen.pendlebury at owasp.org>
> Hi Simon,
> Looks good
> Could this be something that's incorporated into other projects like
> Security Shepherd and WebGoat in a tutorial fashion for training purposes?
> ie Cross reference your cheat sheet with the levels!
> On 29 August 2014 09:21, psiinon <psiinon at gmail.com> wrote:
>> Its definitely ZAP specific, but its not meant to be marketing bumf.
>> Its a cheat sheet which helps people understand which ZAP components they
>> should use for detecting vulnerabilities associated with each of the OWASP
>> Top 10 risks.
>> Thats something I get asked quite a lot, so I think theres a need for
>> this sort of doc.
>> It also states which of the components are automated and which are manual
>> - I'm not trying to imply that ZAP can detect all of the vulnerabilities
>> I'm happy to add a statement to the effect that no black box scanner will
>> find all issues - I always try to stress that ZAP is not a silver bullet.
>> On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org> wrote:
>>> Hi Simon,
>>> Am 08/28/2014 01:21 PM, schrieb psiinon:
>>> > Leaders,
>>> > I often get asked if ZAP scans for the "OWASP Top 10".
>>> > As I'm sure you're all aware, its not really possible to automatically
>>> scan for all of the vulnerabilities behind the OWASP Top 10 _risks_.
>>> > But I still think its a question that should be answered, and so I've
>>> added this page to the OWASP wiki based on input from the ZAP contributors:
>>> > https://www.owasp.org/index.php/ZAPpingTheTop10
>>> > I just wanted to make sure that no one objects before I start
>>> publicizing it.
>>> my 2 bits... you basically answered the question yourself
>>> though ("As I'm sure you're all aware, its not really possible ...")
>>> You should be clear whether you want to marketing ZAP
>>> or whether you want to provide technical insights.
>>> For the latter everybody knows no scanner / tool
>>> also if used by a trained professional has nearly complete
>>> coverage from the blackbox perspective. It never will.
>>> And to cite others here -- OWASP Top 10 is an
>>> awareness document -- it's not complete and
>>> by using a scanner / tool you won't get security.
>>> This would be insinuated though.
>>> Bottom line: I would not recommend publishing it at
>>> all or at least not without modifications.
>>> The picture is too simple and misleading. If you really
>>> want to do it: Put some of the constraints I mentioned
>>> in the wiki, and add what ZAP can't do as of now.
>>> And then again have others to have a look.
>>> Cheers! Dirk
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
> Owen Pendlebury
> OWASP Ireland-Dublin Chapter Lead
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OWASP-Leaders