Does anyone know if the library sobelow
(https://github.com/nccgroup/sobelow) implements OWASP (Open Web Application Security Project) (https://www.owasp.org)?
Hi Daveed! Sobelow checks for a number of top 10 OWASP vulnerabilities. However, it does not check for things like access control or authentication vulnerabilities, which will vary greatly from app to app.
Hi Griffin! Thanks that helps a lot - I checked OWASP top 10 2017 and mapped this way:
TOP 10 from OWASP (https://www.owasp.org/images/b/b0/OWASP_Top_10_2017_RC2_Final.pdf)
A1 Injection flaws, such as SQL, NoSQL, OS, and LDAP injection
A2 Broken Authentication
A3 Sensitive Data Exposure
A4 External Entities (XXE)
A5 Broken Access Control
A6 Security Misconfiguration
A7 Cross-Site Scripting (XSS)
A8 Insecure Deserialization
A9 Components with Known Vulnerabilities
A10 Insufficient Logging & Monitoring
From your package sobelow (https://github.com/nccgroup/sobelow/blob/master/README.md)
[A6] Insecure configuration
[A9] Known-vulnerable Dependencies
[A7] Cross-Site Scripting
[A1] SQL injection
[A1] Command injection
[A4] Denial of Service
[A5] Directory traversal
[A8] Unsafe serialization