Vulnerability scanners and OWASP Top 10

Customers often ask whether our vulnerability scanner fully covers OWASP Top 10. No, it does not. No automated scanning tool does.

sad robot

The requirement of OWASP Top 10 coverage sometimes even pops up in requirement catalogs for software procurement. The only thing is: OWASP Top 10 cannot be fully covered by any automated scanning tool.

The most important security risk “Injection” might prove me wrong. Injections like database or command injections are technical issues that most often could be detected by automated scanning tools.

“Broken Authentication” makes things tricky. OWASP defines applications as vulnerable if they use ineffective multi-factor authentication, badly invalidate session IDs or its forgot-password process includes knowledge-based answers. Those issues are very hard to automate and I doubt that many fully automated scanners can detect them (but still might be possible).

The next risk - “Sensitive Data Exposure” - is where “business logic” comes in. How should an automated scanner know that the personal details of user 324 should be printed out on a certain page (because the scanner impersonated this user), while data of user 325 must be kept secret at this authorization level?

How should the scanner know if login attempts are properly logged (“Broken Access Control”), if the application architecture is segmented (“Security Misconfiguration”), if deserializations are done in low privilege environments (“Insecure Deserialization”), which libraries are used in the background (“Using components with Known Vulnerabilities”) or if suspicious activities are properly monitored and alerted (“Insufficient Logging and Monitoring”)?

OWASP Top 10 is a nice catalog of important security issues in web applications for developers. It is not meant to be a requirement catalog for vulnerability scanners.