How are Zap alerts classified?
2,033 views
Skip to first unread message
mleb...@poka.io
Feb 17, 2016, 2:42:16 PM2/17/16
to OWASP ZAP User Group
Hello,
We are implementing a vulnerability management framework and we would like our vulnerabilities to classified by severity the same way across different tools.
As we are using ZAP, we were wondering how are the alerts classified in the software? (Info, Low, Medium, High).
Is it based on the CVSS system? Does it map directly a CWE to a vulnerability? How does the classification process work?
Thank you!
kingthorin+owaspzap
Feb 17, 2016, 3:40:48 PM2/17/16
to OWASP ZAP User Group
The associated Risk is determined by the author of the particular scanner/rule. Alerts do generally carry CWE and WASC reference info (if you find any missing or wrong please let us know). I can't speak for all scanners/rules but the Risk rating is also generally not assigned blindly most of the existing scanners/rules have been developed by Security Analysts/Penetration Testers, and the majority of them are reviewed by at least one other team member before being accepted.
The following might help you: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAlerts
If there's something you disagree with we can discuss it here. You could also leverage the Alert Filter addon to reclassify things: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAlertFiltersAlertFilter
The following might help you: https://github.com/zaproxy/zap-core-help/wiki/HelpStartConceptsAlerts
If there's something you disagree with we can discuss it here. You could also leverage the Alert Filter addon to reclassify things: https://github.com/zaproxy/zap-extensions/wiki/HelpAddonsAlertFiltersAlertFilter
mleb...@poka.io
Feb 18, 2016, 9:24:12 AM2/18/16
to OWASP ZAP User Group
Thank you very much for your precisions!
Reply all
Reply to author
Forward
0 new messages