[Owasp-leaders] How to increase ZAP takeup?

Abraham Aranguren abraham.aranguren at owasp.org
Thu Sep 11 18:37:07 UTC 2014


Hi Mario,

I think your dream come true is exactly what OWTF does / pretends to do :)

The inminent OWTF 1.0 Lionheart will be a breakthrough at many levels
(Web UI, postgress DB, Zest support, automated rankings that you can
override, ajax spider, etc.), but you can get the drift with this (WIP!):

http://owtf.github.io/
https://www.youtube.com/user/owtfproject/playlists
The passive online scanner (still being improved atm) might be a good
way to see (some of the) things working without installing anything:
http://owtf.github.io/online-passive-scanner/

My 2cents :)

Abe

On 09/11/2014 08:18 PM, Mario Robles wrote:
> Thank you Simon, it's amazing the good work ZAP team is doing
>
> Tony I agree with you on this, I provide some Pentesting courses and I
> have to be honest, I use Burp as part of the testing framework during
> the courses, this is just my opinion but things like my previous
> question (other tools integration) it's something that can make people
> to move from other tools, if ZAP target trainers and convince them
> like Simon just did with me then trainers will start using it as part
> of their courses
>
> A very valid point for ZAP compared to Burp is that Burp free don't
> allow the user to save the state for being analyzed later and ZAP do
> that for free, merchandizing the advantages, features (like the ones I
> wasn't aware of) and coming improvements seems to be key
>
> side note, I must say, if ZAP would be able to import the findings
> from other tools like Burp, AppScan, WebInspect, FoD, Manual, etc with
> a possibility to edit findings, details, severities, etc and make a
> nice report, that's the tool I've been dreaming with for a long time,
> someone can say that ZAP it's not a repo like other tools out there
> for combining findings and I think that's exactly the reason why it
> should be included in a testing tool, having all findings from a
> Wpentest in one single tool where you can validate, build a PoC, grab
> a screenshot or remove False positives would be a dream come true
>
> Mario
>
> 	
>
> On 11/09/2014 11:17 a.m., Tony Turner wrote:
>> Getting ZAP included in popular pentest and security testing courses
>> such as what SANS delivers would be very beneficial. People take
>> these classes using Burp Free, and then go back to work and buy Pro
>> and keep using it. Why would they switch to ZAP when they are already
>> getting what they need from Burp? We need to either get ZAP in front
>> of people just learning the tools or provide sufficient justification
>> for people to switch from what they are already doing. 
>>
>>
>>
>> On Thu, Sep 11, 2014 at 1:06 PM, psiinon <psiinon at gmail.com
>> <mailto:psiinon at gmail.com>> wrote:
>>
>>     We have a REST API and clients written in Java, Python, Node.js,
>>     PHP and Ruby: https://code.google.com/p/zaproxy/wiki/ApiDetails :)
>>
>>     We also support all JSR 223 languages (including Jython) via the
>>     ZAP Script Console
>>     <https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts>.
>>
>>     Any questions about using them then let me know or ask on the ZAP
>>     Developer group <http://groups.google.com/group/zaproxy-develop>.
>>
>>     Cheers,
>>
>>     Simon
>>
>>     On Thu, Sep 11, 2014 at 5:42 PM, Mario Robles
>>     <mario.robles at owasp.org <mailto:mario.robles at owasp.org>> wrote:
>>
>>         I would be very exited about having a possibility of writing
>>         python tools that can work with ZAP using some kind of
>>         integration API (sorry if this already exists and if so I'd
>>         like to know more about it)
>>
>>         I'm a WPT tools writer and I like to work with python (I'm
>>         sure many here do the same) so I think this is a good
>>         opportunity for ZAP
>>
>>         Back to the main question, here's my answer: if ZAP become
>>         friendly with the frameworks most of Pentesters use then ZAP
>>         will be loved by many of them
>>
>>         Mario
>>
>>
>>         	
>>
>>         On 11/09/2014 06:33 a.m., psiinon wrote:
>>>         I'd also like to point out that I specifically asked what
>>>         people thought would be the best way to increase ZAP usage
>>>         NOT what would cause _you_ to use ZAP :)
>>>         Do you really think that dropping java and porting to Python
>>>         would increase ZAP takeup? ;)
>>>
>>>         On Thu, Sep 11, 2014 at 1:16 PM, psiinon <psiinon at gmail.com
>>>         <mailto:psiinon at gmail.com>> wrote:
>>>
>>>             You're right, its not viable :)
>>>
>>>             On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org
>>>             <mailto:abbas.naderi at owasp.org>> wrote:
>>>
>>>                 Personally the major reason I don’t like these tools
>>>                 is that they are Java based, and Java based apps are
>>>                 ugly and slow on OS X. If I led the project, I’d
>>>                 port to python or something else, but I know thats a
>>>                 very expensive decision and probably not viable.
>>>                 -A
>>>
>>>>                 On Sep 11, 2014, at 7:50 AM, Andrew Muller
>>>>                 <andrew.muller at owasp.org
>>>>                 <mailto:andrew.muller at owasp.org>> wrote:
>>>>
>>>>                 A subtle advertising campaign could work
>>>>
>>>>                 <pharoah bender endorses ZAP.jpg>
>>>>
>>>>>>>>
>>>>                 On Thu, Sep 11, 2014 at 8:59 PM, psiinon
>>>>                 <psiinon at gmail.com <mailto:psiinon at gmail.com>> wrote:
>>>>
>>>>                     Leaders,
>>>>
>>>>                     As you hopefully know, ZAP is one of the most
>>>>                     successful of all of the OWASP projects.
>>>>
>>>>                     However I want to significantly increase its
>>>>                     takeup, and for that I'd like your advice and
>>>>                     guidance.
>>>>
>>>>                     *What do you think are the top 3 (or more)
>>>>                     things we could do increase ZAP usage?*
>>>>
>>>>                     I'm not just asking about new features or
>>>>                     technical changes (but please include those if
>>>>                     you think they are important), but also
>>>>                     advertizing, online presence, documentation,
>>>>                     tutorial videos, conference talks, fluffy toys
>>>>                     etc etc.
>>>>                     Anything that you think will get more
>>>>                     developers and security folk using ZAP.
>>>>
>>>>                     I was going to start a poll, but I decided I
>>>>                     didnt want to restrict or unduly influence your
>>>>                     replies, so please "think out of the box" and
>>>>                     other such cliches ;)
>>>>
>>>>                     Feel free to reply on this thread or directly
>>>>                     to me.
>>>>
>>>>                     Many thanks,
>>>>
>>>>                     Simon
>>>>
>>>>                     -- 
>>>>                     OWASP ZAP <https://www.owasp.org/index.php/ZAP>
>>>>                     Project leader
>>>>
>>>>                     _______________________________________________
>>>>                     OWASP-Leaders mailing list
>>>>                     OWASP-Leaders at lists.owasp.org
>>>>                     <mailto:OWASP-Leaders at lists.owasp.org>
>>>>                     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>>
>>>>
>>>>                 -- 
>>>>                 ____________________
>>>>                 *Andrew Muller*
>>>>                 Canberra OWASP Chapter Leader
>>>>                 OWASP Testing Guide Co-Leader
>>>>                 _______________________________________________
>>>>                 OWASP-Leaders mailing list
>>>>                 OWASP-Leaders at lists.owasp.org
>>>>                 <mailto:OWASP-Leaders at lists.owasp.org>
>>>>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>>             -- 
>>>             OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project
>>>             leader
>>>
>>>
>>>
>>>
>>>         -- 
>>>         OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>>
>>>         _______________________________________________
>>>         OWASP-Leaders mailing list
>>>         OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>>     -- 
>>     OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>>
>> -- 
>> Tony Turner
>> OWASP Orlando Chapter Founder/Co-Leader
>> tony.turner at owasp.org <mailto:tony.turner at owasp.org>
>> https://www.owasp.org/index.php/Orlando
>>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders




More information about the OWASP-Leaders mailing list