I have gone to great lengths to strictly separate my OWASP activities from my Jemurai activities in an effort to honor the open and non-commercial aspects of OWASP to which I have committed so much volunteer time and energy.
Today I want to cross the streams for a very specific reason, not to promote Jemurai but to stop and think about how some of OWASP’s tools are used in the industry and hopefully prevent damage from misuse.
I want to address perspectives reflected in the following statements, which I’ve heard from a few folks:
I want a tool that is OWASP Compliant
I need a tool to test for the OWASP Top 10
I want an OWASP Report
Our tool tests for the OWASP Top 10
First of all, let’s ground ourselves. OWASP provides terrific open resources for application security ranging from the Top 10 to ZAP to ASVS to OpenSAMM to Juice Shop to Cheat Sheets and many more. The resources are invaluable to all sorts of folks and when used as intended are extremely valuable and awesome.
Let me be very clear: there is no tool that can find the OWASP Top 10. The following are items among the Top 10 that can rarely if ever be identified by tools.
#3: Sensitive Data Exposure
Tools can only find some predefined categories of sensitive data exposure. In my experience, a small subset. One reason is that sensitive data is contextual to a company and system. Another is that exposure can mean anything from internal employees seeing data to not encrypting data.
#5: Broken Access Control
Tools can’t generally find this at all. This is because authorization is custom to a business domain. A tool can’t know which users are supposed to have access to which things to be able to check.
#6: Security Misconfiguration
Tools can find certain known misconfigurations that are always wrong (eg. old SSL), but things like which subnets should talk to other subnets aren’t going to be identified by Burp or ZAP. We find custom tools that can find them but they are just that custom.
#10: Insufficient Logging & Monitoring
What does this even mean? Our team has been delivering custom “security signal” for a while, but this isn’t binary that you have it or you don’t. No company I have ever seen has comprehensive evidence. There’s no tool you can plug in and immediately “get it”.
Even among the things that can be identified, there is no one tool that can find all of them.
Stepping back, its actually a good thing that the Top 10 isn’t easily identified by a tool. That reflects the thought and human expert opinions that went into it. It wasn’t just a bunch of canned stuff that got put together.
The Top 10 are a great resource to help frame a conversation among developers, to be the basis for training content, to be thought provoking for people actively thinking about the issues at hand. More than 10 items is too much. These approximate the best ideas we currently have. Of course there is always room for improvement but the Top 10 are a great resource when used well.
Please just understand them as a guide and not a strict compliance standard or something a tool can identify.