[Owasp-leaders] How to increase ZAP takeup?

Josh Sokol josh.sokol at owasp.org
Thu Sep 11 18:53:43 UTC 2014


Did you just call Simon's baby ugly?  I think you did.  That said, I have
to agree with Jim.  In my training classes I use WebScarab as well for the
same reasons.  The UI is just easier for a noob to get into, get data, and
get out.  There are companies that specialize in UI enhancement
suggestions.  Maybe it would be worth spending some of ZAP's project funds
on something like that?

~josh

On Thu, Sep 11, 2014 at 1:29 PM, Jim Manico <jim.manico at owasp.org> wrote:

> Personally I still use WebScarab during training because it's much easier
> for new folk.
>
> While Zap has an abundance of features that are awesome, the interception
> UI and edit screen seems a lot more user friendly in Webscarab, and when
> training, the only feature I use is interception.
>
> So based on these experiences, I would surmise that new user adoption
> would pick up if the UI was a bit easier and more clear to use.
>
> Aloha,
> --
> Jim Manico
> @Manicode
> (808) 652-3805
>
> On Sep 11, 2014, at 1:20 PM, Mario Robles <mario.robles at owasp.org> wrote:
>
> Thank you Simon, it's amazing the good work ZAP team is doing
>
> Tony I agree with you on this, I provide some Pentesting courses and I
> have to be honest, I use Burp as part of the testing framework during the
> courses, this is just my opinion but things like my previous question
> (other tools integration) it's something that can make people to move from
> other tools, if ZAP target trainers and convince them like Simon just did
> with me then trainers will start using it as part of their courses
>
> A very valid point for ZAP compared to Burp is that Burp free don't allow
> the user to save the state for being analyzed later and ZAP do that for
> free, merchandizing the advantages, features (like the ones I wasn't aware
> of) and coming improvements seems to be key
>
> side note, I must say, if ZAP would be able to import the findings from
> other tools like Burp, AppScan, WebInspect, FoD, Manual, etc with a
> possibility to edit findings, details, severities, etc and make a nice
> report, that's the tool I've been dreaming with for a long time, someone
> can say that ZAP it's not a repo like other tools out there for combining
> findings and I think that's exactly the reason why it should be included in
> a testing tool, having all findings from a Wpentest in one single tool
> where you can validate, build a PoC, grab a screenshot or remove False
> positives would be a dream come true
>
> Mario
>
>
>    On 11/09/2014 11:17 a.m., Tony Turner wrote:
>
> Getting ZAP included in popular pentest and security testing courses such
> as what SANS delivers would be very beneficial. People take these classes
> using Burp Free, and then go back to work and buy Pro and keep using it.
> Why would they switch to ZAP when they are already getting what they need
> from Burp? We need to either get ZAP in front of people just learning the
> tools or provide sufficient justification for people to switch from what
> they are already doing.
>
>
>
> On Thu, Sep 11, 2014 at 1:06 PM, psiinon <psiinon at gmail.com> wrote:
>
>>  We have a REST API and clients written in Java, Python, Node.js, PHP
>> and Ruby: https://code.google.com/p/zaproxy/wiki/ApiDetails :)
>>
>>  We also support all JSR 223 languages (including Jython) via the ZAP Script
>> Console <https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts>
>> .
>>
>>  Any questions about using them then let me know or ask on the ZAP
>> Developer group <http://groups.google.com/group/zaproxy-develop>.
>>
>>  Cheers,
>>
>>  Simon
>>
>> On Thu, Sep 11, 2014 at 5:42 PM, Mario Robles <mario.robles at owasp.org>
>> wrote:
>>
>>>  I would be very exited about having a possibility of writing python
>>> tools that can work with ZAP using some kind of integration API (sorry if
>>> this already exists and if so I'd like to know more about it)
>>>
>>> I'm a WPT tools writer and I like to work with python (I'm sure many
>>> here do the same) so I think this is a good opportunity for ZAP
>>>
>>> Back to the main question, here's my answer: if ZAP become friendly with
>>> the frameworks most of Pentesters use then ZAP will be loved by many of them
>>>
>>> Mario
>>>
>>>
>>>
>>>    On 11/09/2014 06:33 a.m., psiinon wrote:
>>>
>>>  I'd also like to point out that I specifically asked what people
>>> thought would be the best way to increase ZAP usage NOT what would cause
>>> _you_ to use ZAP :)
>>>  Do you really think that dropping java and porting to Python would
>>> increase ZAP takeup? ;)
>>>
>>> On Thu, Sep 11, 2014 at 1:16 PM, psiinon <psiinon at gmail.com> wrote:
>>>
>>>> You're right, its not viable :)
>>>>
>>>> On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org> wrote:
>>>>
>>>>> Personally the major reason I don’t like these tools is that they are
>>>>> Java based, and Java based apps are ugly and slow on OS X. If I led the
>>>>> project, I’d port to python or something else, but I know thats a very
>>>>> expensive decision and probably not viable.
>>>>> -A
>>>>>
>>>>>  On Sep 11, 2014, at 7:50 AM, Andrew Muller <andrew.muller at owasp.org>
>>>>> wrote:
>>>>>
>>>>>  A subtle advertising campaign could work
>>>>>
>>>>> <pharoah bender endorses ZAP.jpg>
>>>>>
>>>>>>>>>>
>>>>> On Thu, Sep 11, 2014 at 8:59 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>>>     Leaders,
>>>>>>
>>>>>>  As you hopefully know, ZAP is one of the most successful of all of
>>>>>> the OWASP projects.
>>>>>>
>>>>>>  However I want to significantly increase its takeup, and for that
>>>>>> I'd like your advice and guidance.
>>>>>>
>>>>>>  *What do you think are the top 3 (or more) things we could do
>>>>>> increase ZAP usage?*
>>>>>>
>>>>>>  I'm not just asking about new features or technical changes (but
>>>>>> please include those if you think they are important), but also
>>>>>> advertizing, online presence, documentation, tutorial videos, conference
>>>>>> talks, fluffy toys etc etc.
>>>>>> Anything that you think will get more developers and security folk
>>>>>> using ZAP.
>>>>>>
>>>>>>  I was going to start a poll, but I decided I didnt want to restrict
>>>>>> or unduly influence your replies, so please "think out of the box" and
>>>>>> other such cliches ;)
>>>>>>
>>>>>>  Feel free to reply on this thread or directly to me.
>>>>>>
>>>>>>  Many thanks,
>>>>>>
>>>>>>  Simon
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>   ____________________
>>>>>  *Andrew Muller*
>>>>>  Canberra OWASP Chapter Leader
>>>>>  OWASP Testing Guide Co-Leader
>>>>>  _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
>  --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140911/45602fb5/attachment-0001.html>


More information about the OWASP-Leaders mailing list