[Owasp-leaders] ZAPping the OWASP Top 10

psiinon psiinon at gmail.com
Mon Sep 1 10:58:24 UTC 2014


Stubbornness is 'de rigueur' for security professionals ;)

I certainly dont want to mislead people, and I realized this could be a
slightly controversial page which is why I drew attention to it on the
leaders list.

I'm very happy to add extra caveats at the top so that it is not
misleading. At least on the web version - I want the printed version to
stay within 2 sides, but we can always just include a "See the web version
at... for caveats" type message.

Can you (or anyone else) suggest some suitable text to include?

Cheers,

Simon



On Fri, Aug 29, 2014 at 6:17 PM, Dirk Wetter <dirk at owasp.org> wrote:

> Hi Simon,
>
> looks better .
>
> Excuse my stubbornness ;-) but from my perspective it's still kind of
> misleading as the view (well, to be honest: my view) on testing is
> different.
>
> The OWASP Top 10 is still an awareness document. As opposed to the
> testing guide the OWASP Top 10 are not for testing neither with ZAP or
> Nessus (cough) or anything else. The OWASP Top 10 are also not complete
> as the underlying vulnerabilities are concerned. Just think about logic
> flaws,
> timing attacks, local/remote file inclusion, etc...
>
> It's also simplifying the view within the Top 10: In the world of awareness
> I understand that DOM XSS, reflected and persistent XSS as risks go into
> one category (well besides stored XSS, but that's off topic).
> From a testers perspective I would definitely distinguish between those
> three.
>
> I would put that more into perspective, if now change the approach.
>
>
> Cheers,
>
> Dirk
>
>
>
> Am 08/29/2014 10:21 AM, schrieb psiinon:
> > Dirk,
> >
> > Its definitely ZAP specific, but its not meant to be marketing bumf.
> > Its a cheat sheet which helps people understand which ZAP components
> they should use for detecting vulnerabilities associated with each of the
> OWASP Top 10 risks.
> > Thats something I get asked quite a lot, so I think theres a need for
> this sort of doc.
> > It also states which of the components are automated and which are
> manual - I'm not trying to imply that ZAP can detect all of the
> vulnerabilities automatically.
> >
> > I'm happy to add a statement to the effect that no black box scanner
> will find all issues - I always try to stress that ZAP is not a silver
> bullet.
> >
> > Cheers,
> >
> > Simon
> >
> >
> > On Thu, Aug 28, 2014 at 8:16 PM, Dirk Wetter <dirk at owasp.org <mailto:
> dirk at owasp.org>> wrote:
> >
> >     Hi Simon,
> >
> >     Am 08/28/2014 01:21 PM, schrieb psiinon:
> >     > Leaders,
> >     >
> >     > I often get asked if ZAP scans for the "OWASP Top 10".
> >     > As I'm sure you're all aware, its not really possible to
> automatically scan for all of the vulnerabilities behind the OWASP Top 10
> _risks_.
> >     >
> >     > But I still think its a question that should be answered, and so
> I've added this page to the OWASP wiki based on input from the ZAP
> contributors:
> >     >
> >     > https://www.owasp.org/index.php/ZAPpingTheTop10
> >     >
> >     > I just wanted to make sure that no one objects before I start
> publicizing it.
> >
> >     my 2 bits... you basically answered the question yourself
> >     though ("As I'm sure you're all aware, its not really possible ...")
> >
> >     You should be clear whether you want to marketing ZAP
> >     or whether you want to provide technical insights.
> >
> >     For the latter everybody knows no scanner / tool
> >     also if used by a trained professional has nearly complete
> >     coverage from the blackbox perspective. It never will.
> >
> >     And to cite others here -- OWASP Top 10 is an
> >     awareness document -- it's not complete and
> >     by using a scanner / tool you won't get security.
> >     This would be insinuated though.
> >
> >     Bottom line: I would not recommend publishing it at
> >     all or at least not without modifications.
> >     The picture is too simple and misleading. If you really
> >     want to do it: Put some of the constraints I mentioned
> >     in the wiki, and add what ZAP can't do as of now.
> >     And then again have others to have a look.
> >
> >     Cheers! Dirk
> >
> >
> >
> >     _______________________________________________
> >     OWASP-Leaders mailing list
> >     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
> >     https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
> >
> >
> >
> > --
> > OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> >
> >
> > _______________________________________________
> > OWASP-Leaders mailing list
> > OWASP-Leaders at lists.owasp.org
> > https://lists.owasp.org/mailman/listinfo/owasp-leaders
> >
>
>
> --
> German OWASP Board, (Chair AppSec Research 2013)
> Send me encrypted mails (Key ID 0xB818C039)
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140901/f6889786/attachment-0001.html>


More information about the OWASP-Leaders mailing list