Does the hex package sobelow implements OWASP?

Does anyone know if the library sobelow (https://github.com/nccgroup/sobelow) implements OWASP (Open Web Application Security Project) (https://www.owasp.org)?

1 Like

Hi Daveed! Sobelow checks for a number of top 10 OWASP vulnerabilities. However, it does not check for things like access control or authentication vulnerabilities, which will vary greatly from app to app.

1 Like

Hi Griffin! Thanks that helps a lot - I checked OWASP top 10 2017 and mapped this way:


TOP 10 from OWASP (https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf)

A1 Injection flaws, such as SQL, NoSQL, OS, and LDAP injection
A2 Broken Authentication
A3 Sensitive Data Exposure
A4 External Entities (XXE)
A5 Broken Access Control
A6 Security Misconfiguration
A7 Cross-Site Scripting (XSS)
A8 Insecure Deserialization
A9 Components with Known Vulnerabilities
A10 Insufficient Logging & Monitoring


From your package sobelow (https://github.com/nccgroup/sobelow/blob/master/README.md)

[A6] Insecure configuration
[A9] Known-vulnerable Dependencies
[A7] Cross-Site Scripting
[A1] SQL injection
[A1] Command injection
[A4] Denial of Service
[A5] Directory traversal
[A8] Unsafe serialization

3 Likes