[Owasp-leaders] How to increase ZAP takeup?

Jim Manico jim.manico at owasp.org
Thu Sep 11 18:29:58 UTC 2014


Personally I still use WebScarab during training because it's much easier
for new folk.

While Zap has an abundance of features that are awesome, the interception
UI and edit screen seems a lot more user friendly in Webscarab, and when
training, the only feature I use is interception.

So based on these experiences, I would surmise that new user adoption would
pick up if the UI was a bit easier and more clear to use.

Aloha,
--
Jim Manico
@Manicode
(808) 652-3805

On Sep 11, 2014, at 1:20 PM, Mario Robles <mario.robles at owasp.org> wrote:

 Thank you Simon, it's amazing the good work ZAP team is doing

Tony I agree with you on this, I provide some Pentesting courses and I have
to be honest, I use Burp as part of the testing framework during the
courses, this is just my opinion but things like my previous question
(other tools integration) it's something that can make people to move from
other tools, if ZAP target trainers and convince them like Simon just did
with me then trainers will start using it as part of their courses

A very valid point for ZAP compared to Burp is that Burp free don't allow
the user to save the state for being analyzed later and ZAP do that for
free, merchandizing the advantages, features (like the ones I wasn't aware
of) and coming improvements seems to be key

side note, I must say, if ZAP would be able to import the findings from
other tools like Burp, AppScan, WebInspect, FoD, Manual, etc with a
possibility to edit findings, details, severities, etc and make a nice
report, that's the tool I've been dreaming with for a long time, someone
can say that ZAP it's not a repo like other tools out there for combining
findings and I think that's exactly the reason why it should be included in
a testing tool, having all findings from a Wpentest in one single tool
where you can validate, build a PoC, grab a screenshot or remove False
positives would be a dream come true

Mario


   On 11/09/2014 11:17 a.m., Tony Turner wrote:

Getting ZAP included in popular pentest and security testing courses such
as what SANS delivers would be very beneficial. People take these classes
using Burp Free, and then go back to work and buy Pro and keep using it.
Why would they switch to ZAP when they are already getting what they need
from Burp? We need to either get ZAP in front of people just learning the
tools or provide sufficient justification for people to switch from what
they are already doing.



On Thu, Sep 11, 2014 at 1:06 PM, psiinon <psiinon at gmail.com> wrote:

>  We have a REST API and clients written in Java, Python, Node.js, PHP and
> Ruby: https://code.google.com/p/zaproxy/wiki/ApiDetails :)
>
>  We also support all JSR 223 languages (including Jython) via the ZAP Script
> Console <https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts>.
>
>  Any questions about using them then let me know or ask on the ZAP
> Developer group <http://groups.google.com/group/zaproxy-develop>.
>
>  Cheers,
>
>  Simon
>
> On Thu, Sep 11, 2014 at 5:42 PM, Mario Robles <mario.robles at owasp.org>
> wrote:
>
>>  I would be very exited about having a possibility of writing python
>> tools that can work with ZAP using some kind of integration API (sorry if
>> this already exists and if so I'd like to know more about it)
>>
>> I'm a WPT tools writer and I like to work with python (I'm sure many here
>> do the same) so I think this is a good opportunity for ZAP
>>
>> Back to the main question, here's my answer: if ZAP become friendly with
>> the frameworks most of Pentesters use then ZAP will be loved by many of them
>>
>> Mario
>>
>>
>>
>>    On 11/09/2014 06:33 a.m., psiinon wrote:
>>
>>  I'd also like to point out that I specifically asked what people
>> thought would be the best way to increase ZAP usage NOT what would cause
>> _you_ to use ZAP :)
>>  Do you really think that dropping java and porting to Python would
>> increase ZAP takeup? ;)
>>
>> On Thu, Sep 11, 2014 at 1:16 PM, psiinon <psiinon at gmail.com> wrote:
>>
>>> You're right, its not viable :)
>>>
>>> On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org> wrote:
>>>
>>>> Personally the major reason I don’t like these tools is that they are
>>>> Java based, and Java based apps are ugly and slow on OS X. If I led the
>>>> project, I’d port to python or something else, but I know thats a very
>>>> expensive decision and probably not viable.
>>>> -A
>>>>
>>>>  On Sep 11, 2014, at 7:50 AM, Andrew Muller <andrew.muller at owasp.org>
>>>> wrote:
>>>>
>>>>  A subtle advertising campaign could work
>>>>
>>>> <pharoah bender endorses ZAP.jpg>
>>>>
>>>>>>>>
>>>> On Thu, Sep 11, 2014 at 8:59 PM, psiinon <psiinon at gmail.com> wrote:
>>>>
>>>>>     Leaders,
>>>>>
>>>>>  As you hopefully know, ZAP is one of the most successful of all of
>>>>> the OWASP projects.
>>>>>
>>>>>  However I want to significantly increase its takeup, and for that I'd
>>>>> like your advice and guidance.
>>>>>
>>>>>  *What do you think are the top 3 (or more) things we could do
>>>>> increase ZAP usage?*
>>>>>
>>>>>  I'm not just asking about new features or technical changes (but
>>>>> please include those if you think they are important), but also
>>>>> advertizing, online presence, documentation, tutorial videos, conference
>>>>> talks, fluffy toys etc etc.
>>>>> Anything that you think will get more developers and security folk
>>>>> using ZAP.
>>>>>
>>>>>  I was going to start a poll, but I decided I didnt want to restrict
>>>>> or unduly influence your replies, so please "think out of the box" and
>>>>> other such cliches ;)
>>>>>
>>>>>  Feel free to reply on this thread or directly to me.
>>>>>
>>>>>  Many thanks,
>>>>>
>>>>>  Simon
>>>>>
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>>   ____________________
>>>>  *Andrew Muller*
>>>>  Canberra OWASP Chapter Leader
>>>>  OWASP Testing Guide Co-Leader
>>>>  _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


 --
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
tony.turner at owasp.org
https://www.owasp.org/index.php/Orlando


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140911/8581e711/attachment-0001.html>


More information about the OWASP-Leaders mailing list