Can I use ZAP to scan for OWASP ASVS Level 1 checks only?
636 views
Skip to first unread message
Morgan
Mar 29, 2016, 6:50:52 AM3/29/16
to OWASP ZAP User Group
Hello,
I am wondering if and how its possible to configure ZAP in such a way that it only reports on things that are in the OWASP ASVS checklist with level 1, so it doesn't report on things that meet Level 2 criteria.
Since both products are from the same organization, it'd seem likely that there is some way to map OWASP ZAP to the ASVS levels.
Thanks in advance!
Morgan
Simon Bennetts
Mar 29, 2016, 7:18:08 AM3/29/16
to OWASP ZAP User Group
Hi Morgan,
Yes, I can see why you'd think there would be a mapping between ZAP and ASVS levels.
But right now there isnt :(
OWASP is an umbrella organization, and the projects in it are typically developed and maintained by different teams and individuals.
Yes, it would be useful if we could provide a mapping, but I'm afraid we havnt done one to date.
I'm also not completely sure how useful such a mapping would be.
To quote from ASVS:
We aim to make ZAP as effective as possible, whether used manually or automated. If you just use it in an automated way then you will not be testing your applications as effectively as you could. And theres not much we, or any other automated tool can do about that. No one tool is a security silver bullet, including ZAP!
Having said that, I'd be very happy for someone to work on a mapping between ZAP and ASVS, I just cant see me doing it in the near future ;)
Cheers,
Simon
Yes, I can see why you'd think there would be a mapping between ZAP and ASVS levels.
But right now there isnt :(
OWASP is an umbrella organization, and the projects in it are typically developed and maintained by different teams and individuals.
Yes, it would be useful if we could provide a mapping, but I'm afraid we havnt done one to date.
I'm also not completely sure how useful such a mapping would be.
To quote from ASVS:
"Automated penetration testing tools are encourages to provide as much possible coverage and to exercise as many parameters as possible with many different forms of malicious inputs as possible.
It is not possible to fully complete ASVS verification using automated penetration testing tools alone. Whilst a large majority of requirements in L1 can be performed using automated tests, the overall majority of requirements are not amenable to automated penetration testing"
It is not possible to fully complete ASVS verification using automated penetration testing tools alone. Whilst a large majority of requirements in L1 can be performed using automated tests, the overall majority of requirements are not amenable to automated penetration testing"
We aim to make ZAP as effective as possible, whether used manually or automated. If you just use it in an automated way then you will not be testing your applications as effectively as you could. And theres not much we, or any other automated tool can do about that. No one tool is a security silver bullet, including ZAP!
Having said that, I'd be very happy for someone to work on a mapping between ZAP and ASVS, I just cant see me doing it in the near future ;)
Cheers,
Simon
Morgan
Mar 29, 2016, 9:40:44 AM3/29/16
to OWASP ZAP User Group
Hi Simon,
Thanks for your reply. I am aware that only using ZAP will in no way be sufficient to validate a web application against level 1 of the ASVS. My primary concern is in removing 'noise' from the ZAP reports, which in this case would be alerts about things that would be required for level 2 security.
It's good to know that such a mapping currently doesn't exist. Perhaps I'll make one myself and be able to share it with the community. I assume for this, I'd have to create a new policies in ZAP, suppressing security checks that are not required within the specified level. Please let me know if there is a better way.
Kinds regards,
Morgan
Op dinsdag 29 maart 2016 13:18:08 UTC+2 schreef Simon Bennetts:
Op dinsdag 29 maart 2016 13:18:08 UTC+2 schreef Simon Bennetts:
Simon Bennetts
Mar 30, 2016, 5:24:02 AM3/30/16
to OWASP ZAP User Group
Yeah, you'd need to create a new policy which disabled any of the checks you're not interested in.
It would be great if you could share that - I'd love to build up a set of ZAP policies that people could reuse.
We've even talked about allowing users to specify URLs for policies, which could tie in nicely with this.
Cheers,
Simon
It would be great if you could share that - I'd love to build up a set of ZAP policies that people could reuse.
We've even talked about allowing users to specify URLs for policies, which could tie in nicely with this.
Cheers,
Simon
Reply all
Reply to author
Forward
0 new messages