[Owasp-leaders] OWASP ZAP 1.4 and beyond

psiinon psiinon at gmail.com
Sat Dec 31 11:31:50 UTC 2011


Hi folks,

I wanted to give you a quick update on where I see the OWASP Zed Attack
Proxy going in 2012.

There are more details on the ZAP dev group here:
https://groups.google.com/d/topic/zaproxy-develop/CnrMf4k7-uc/discussionbut
an executive summary is:

The plan is to release ZAP 1.4 towards the end of January / beginning of
Feb.
 1.4 will improve existing features, like the scanners, and add significant
new functionality (see above post for details).
It will also make ZAP much easier to extend.

In the last few months various people (including several on this list;)
have approached me about adding '3rd party' extensions to ZAP.
I think this is great, and one of the reasons I want to get 1.4 out asap.
1.4 will allow people and companies to develop extensions to ZAP that have
full access to all of the existing ZAP functionality and can extend it in
any way they want.

Looking beyond 1.4 I'd like to develop an online 'market place' / app store
/ ??? for ZAP extensions, which would be accessible via a browser and from
within ZAP.
 Note that I'm still really thinking of free extensions rather than paid
for ones, although if someone thinks they can make money from a ZAP
extension then I'll wish them well :)
So I'm thinking along the Nagios lines, where there is a core product and a
whole load of extensions that allow you to extend ZAP based on your own
requirements.
There are already several 'external' teams working on such extensions, and
we may well move some of the 'core' extensions (like the port scanner) out
of the core and into the market place.

Why this email?

First, to let you know about the new extensibility of ZAP - if you are
interested in developing a ZAP extension then please get in touch.
Secondly to let you know about my plans for the online marketplace / app
store / whatever its going to be called.
I'm happy to do this on my own (well, probably with significant help from
other ZAP devs!), but it could also be useful to other OWASP projects.
Should this be (or potentially become) a generic OWASP infrastructure?
Are any of you interested in helping with it, or would any companies be
prepared to sponsor it?

All thoughts and feedback appreciated...

Simon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20111231/1aba3d7b/attachment.html>


More information about the OWASP-Leaders mailing list