OWASP Benchmark Report for ZAP 2.12.0

[Samir Rao]

Hi,

Does anyone have the OWASP Benchmark Scorecard for ZAP Proxy 2.12.0?

It's taking ages to finish the scans and I require the scorecard for a security assessment performed using the above ZAP version.

Regards,

Samir

[Simon Bennetts]

Hi Samir,

We do run ZAP against Benchmark every day, but currently just for Command Injection: https://www.zaproxy.org/docs/scans/benchmark/

I would recommend only enabling the rules you are really interested in, and maybe running ZAP multiple times against Benchmark with specific rules enabled.

Cheers,

Simon

[Samir Rao]

Hi Simon,

I kept switching browsers thinking I couldn't see other Benchmark results on that page. Thanks for letting me know it's just for cmdi.

Without giving out too much info, I have a requirement of running a DAST scan against a product and benchmarking the same DAST tool to see how reliable it is when it comes to reducing FPs.

I'll try to see if it's acceptable to run the specific benchmark scans that are related to the findings I obtained using ZAP. It may not solve the question of "can the DAST tool find all these CWEs it should find". 

Regards,

Samir