[Owasp-leaders] How to increase ZAP takeup?

Mario Robles mario.robles at owasp.org
Thu Sep 11 18:18:25 UTC 2014


Thank you Simon, it's amazing the good work ZAP team is doing

Tony I agree with you on this, I provide some Pentesting courses and I
have to be honest, I use Burp as part of the testing framework during
the courses, this is just my opinion but things like my previous
question (other tools integration) it's something that can make people
to move from other tools, if ZAP target trainers and convince them like
Simon just did with me then trainers will start using it as part of
their courses

A very valid point for ZAP compared to Burp is that Burp free don't
allow the user to save the state for being analyzed later and ZAP do
that for free, merchandizing the advantages, features (like the ones I
wasn't aware of) and coming improvements seems to be key

side note, I must say, if ZAP would be able to import the findings from
other tools like Burp, AppScan, WebInspect, FoD, Manual, etc with a
possibility to edit findings, details, severities, etc and make a nice
report, that's the tool I've been dreaming with for a long time, someone
can say that ZAP it's not a repo like other tools out there for
combining findings and I think that's exactly the reason why it should
be included in a testing tool, having all findings from a Wpentest in
one single tool where you can validate, build a PoC, grab a screenshot
or remove False positives would be a dream come true

Mario

	

On 11/09/2014 11:17 a.m., Tony Turner wrote:
> Getting ZAP included in popular pentest and security testing courses
> such as what SANS delivers would be very beneficial. People take these
> classes using Burp Free, and then go back to work and buy Pro and keep
> using it. Why would they switch to ZAP when they are already getting
> what they need from Burp? We need to either get ZAP in front of people
> just learning the tools or provide sufficient justification for people
> to switch from what they are already doing. 
>
>
>
> On Thu, Sep 11, 2014 at 1:06 PM, psiinon <psiinon at gmail.com
> <mailto:psiinon at gmail.com>> wrote:
>
>     We have a REST API and clients written in Java, Python, Node.js,
>     PHP and Ruby: https://code.google.com/p/zaproxy/wiki/ApiDetails :)
>
>     We also support all JSR 223 languages (including Jython) via the
>     ZAP Script Console
>     <https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts>.
>
>     Any questions about using them then let me know or ask on the ZAP
>     Developer group <http://groups.google.com/group/zaproxy-develop>.
>
>     Cheers,
>
>     Simon
>
>     On Thu, Sep 11, 2014 at 5:42 PM, Mario Robles
>     <mario.robles at owasp.org <mailto:mario.robles at owasp.org>> wrote:
>
>         I would be very exited about having a possibility of writing
>         python tools that can work with ZAP using some kind of
>         integration API (sorry if this already exists and if so I'd
>         like to know more about it)
>
>         I'm a WPT tools writer and I like to work with python (I'm
>         sure many here do the same) so I think this is a good
>         opportunity for ZAP
>
>         Back to the main question, here's my answer: if ZAP become
>         friendly with the frameworks most of Pentesters use then ZAP
>         will be loved by many of them
>
>         Mario
>
>
>         	
>
>         On 11/09/2014 06:33 a.m., psiinon wrote:
>>         I'd also like to point out that I specifically asked what
>>         people thought would be the best way to increase ZAP usage
>>         NOT what would cause _you_ to use ZAP :)
>>         Do you really think that dropping java and porting to Python
>>         would increase ZAP takeup? ;)
>>
>>         On Thu, Sep 11, 2014 at 1:16 PM, psiinon <psiinon at gmail.com
>>         <mailto:psiinon at gmail.com>> wrote:
>>
>>             You're right, its not viable :)
>>
>>             On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org
>>             <mailto:abbas.naderi at owasp.org>> wrote:
>>
>>                 Personally the major reason I don’t like these tools
>>                 is that they are Java based, and Java based apps are
>>                 ugly and slow on OS X. If I led the project, I’d port
>>                 to python or something else, but I know thats a very
>>                 expensive decision and probably not viable.
>>                 -A
>>
>>>                 On Sep 11, 2014, at 7:50 AM, Andrew Muller
>>>                 <andrew.muller at owasp.org
>>>                 <mailto:andrew.muller at owasp.org>> wrote:
>>>
>>>                 A subtle advertising campaign could work
>>>
>>>                 <pharoah bender endorses ZAP.jpg>
>>>
>>>>>>
>>>                 On Thu, Sep 11, 2014 at 8:59 PM, psiinon
>>>                 <psiinon at gmail.com <mailto:psiinon at gmail.com>> wrote:
>>>
>>>                     Leaders,
>>>
>>>                     As you hopefully know, ZAP is one of the most
>>>                     successful of all of the OWASP projects.
>>>
>>>                     However I want to significantly increase its
>>>                     takeup, and for that I'd like your advice and
>>>                     guidance.
>>>
>>>                     *What do you think are the top 3 (or more)
>>>                     things we could do increase ZAP usage?*
>>>
>>>                     I'm not just asking about new features or
>>>                     technical changes (but please include those if
>>>                     you think they are important), but also
>>>                     advertizing, online presence, documentation,
>>>                     tutorial videos, conference talks, fluffy toys
>>>                     etc etc.
>>>                     Anything that you think will get more developers
>>>                     and security folk using ZAP.
>>>
>>>                     I was going to start a poll, but I decided I
>>>                     didnt want to restrict or unduly influence your
>>>                     replies, so please "think out of the box" and
>>>                     other such cliches ;)
>>>
>>>                     Feel free to reply on this thread or directly to me.
>>>
>>>                     Many thanks,
>>>
>>>                     Simon
>>>
>>>                     -- 
>>>                     OWASP ZAP <https://www.owasp.org/index.php/ZAP>
>>>                     Project leader
>>>
>>>                     _______________________________________________
>>>                     OWASP-Leaders mailing list
>>>                     OWASP-Leaders at lists.owasp.org
>>>                     <mailto:OWASP-Leaders at lists.owasp.org>
>>>                     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>>                 -- 
>>>                 ____________________
>>>                 *Andrew Muller*
>>>                 Canberra OWASP Chapter Leader
>>>                 OWASP Testing Guide Co-Leader
>>>                 _______________________________________________
>>>                 OWASP-Leaders mailing list
>>>                 OWASP-Leaders at lists.owasp.org
>>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>             -- 
>>             OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project
>>             leader
>>
>>
>>
>>
>>         -- 
>>         OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>>
>>         _______________________________________________
>>         OWASP-Leaders mailing list
>>         OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>     -- 
>     OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> -- 
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> tony.turner at owasp.org <mailto:tony.turner at owasp.org>
> https://www.owasp.org/index.php/Orlando
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140911/d46d99a3/attachment-0001.html>


More information about the OWASP-Leaders mailing list