OWASP Top 10 and SANS Top 25
171 views
Skip to first unread message
Patty Sandstrom
Oct 17, 2014, 4:26:27 PM10/17/14
to zaprox...@googlegroups.com
We are thinking about changing our dynamic security scanning tool to ZAP, however we have the requirement from our security team that whatever tool we select, it has to cover the OWASP Top 10 AND the SANS Top 25 list of security errors. Does the ZAP tool cover the SANS list? Currently we utilize IBM AppScan but are looking for a less expensive (or free) tool that provides what we need.
Thank you!
Thank you!
Patty Sandstrom
Simon Bennetts
Oct 18, 2014, 6:11:41 AM10/18/14
to zaprox...@googlegroups.com
Hi Patty,
Hopefully you've seen this doc: https://www.owasp.org/index.php/ZAPpingTheTop10
I really should write one for the SANS Top 25 as well!
You have to be very careful about tools claiming to find 'all of the vulnerabilities' in any top X security list.
As it says on the above link:
No 'DAST' tool, including both ZAP and AppScan, will be able to find all of the SANS Top 25 or OWASP Top 10 whatever marketing departments claim!
AppScan is a very comprehensive product, but its also very expensive.
Theres a good comparison of scanners available here: http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
ZAP competes very favorably with the commercial scanners, and its also open source and completely free :)
It might not quite have the breadth of AppScan, but I'd be very surprised if you use all of AppScans features.
So ZAP could well be an ideal tool for you.
Not surprisingly I'd strongly recommend giving it a go.
Feel free to contact me off list (psi...@gmail.com) - I'm also very happy to talk to your security team - hopefully I'll be able to convince them that ZAP is well worth trying.
Simon
Hopefully you've seen this doc: https://www.owasp.org/index.php/ZAPpingTheTop10
I really should write one for the SANS Top 25 as well!
You have to be very careful about tools claiming to find 'all of the vulnerabilities' in any top X security list.
As it says on the above link:
Note that the OWASP Top Ten Project
risks cover a wide range of underlying vulnerabilities, some of which
are not really possible to test for in a completely automated way. If a
completely automated tool claims to protect you against the full OWASP
Top Ten then you can be sure they are being ‘economical with the truth’!
OK, so I'm quoting myself as I wrote that doc, but it still stands ;)No 'DAST' tool, including both ZAP and AppScan, will be able to find all of the SANS Top 25 or OWASP Top 10 whatever marketing departments claim!
AppScan is a very comprehensive product, but its also very expensive.
Theres a good comparison of scanners available here: http://www.sectoolmarket.com/price-and-feature-comparison-of-web-application-scanners-unified-list.html
ZAP competes very favorably with the commercial scanners, and its also open source and completely free :)
It might not quite have the breadth of AppScan, but I'd be very surprised if you use all of AppScans features.
So ZAP could well be an ideal tool for you.
Not surprisingly I'd strongly recommend giving it a go.
Feel free to contact me off list (psi...@gmail.com) - I'm also very happy to talk to your security team - hopefully I'll be able to convince them that ZAP is well worth trying.
Simon
Reply all
Reply to author
Forward
0 new messages