[Owasp-leaders] OWASP Benchmark Project Releases Dynamic Scanning (DAST) Support with 1.2beta

Dave Wichers dave.wichers at owasp.org
Sun Aug 16 00:57:12 UTC 2015


I announced the OWASP Benchmark project
(https://www.owasp.org/index.php/Benchmark) a few months ago with the 1.1
release which supported analysis by static analysis tools (SAST) as the
first major release. As I said in my initial email:

"The OWASP Benchmark for Application Security Automation (OWASP Benchmark)
is an open test suite designed to help organizations and practitioners
evaluate the speed, coverage, and accuracy of automated application
security testing tools and services."

I¹m now proud to announce the 1.2beta release which is a fully running,
exploitable web application ready for scanning my dynamic analysis tools
(DAST).

Version 1.1 of the Benchmark has over 20,000 test cases, each being an
individual Java Servlet. We decided to make the 1.2beta version MUCH
smaller (slightly under 3,000 tests), because of the length of time it
takes DAST tools to scan the Benchmark, and that they frequently run out
of memory, and sometimes database space, etc. So we are releasing this
smaller version to give testers a first look and so they can more quickly
provide us feedback.

If anyone in the OWASP community has access to a DAST tool beyond ZAP and
Burp Pro (which we have covered), PLEASE run a scan against the Benchmark
with that tool, and send me the results file so we can build a scorecard
generator for it. According to Shay Chen¹s Web Application Vulnerability
Scanner Evaluation Project (WAVSEP) -
http://sectooladdict.blogspot.com/2014/02/wavsep-web-application-scanner.ht
ml, there are over 50 different free and commercial web application
scanners out there. We¹d LOVE to add support for ALL of them to the
Benchmark.

Now that we have support for both SAST and DAST in the Benchmark, we need
to start gathering tool results so we can truly compare how these tools do
against each other not only within their category, but across categories
as well.

I¹m going to be presenting this tool at OWASP AppSec USA 2015 on Thursday
from 3-4: 
https://appsecusa2015.sched.org/event/f7909ea3ef8755127ea27a73aaae8988?ifra
me=no&w=i:100;&sidebar=yes&bg=no#.Vc_fXlNViko

Please come join me to learn more about the project and get involved!

Thanks, Dave




More information about the OWASP-Leaders mailing list