[Owasp-leaders] How to increase ZAP takeup?

Dave Wichers dave.wichers at owasp.org
Fri Sep 12 00:18:49 UTC 2014


There are other projects out there (none at OWASP?) that are working on consuming results from other tools. A large (non-security specific) free tool that I’m starting to see a lot of adoption is SonarQube.

 

So, rather than have ZAP reinvent the wheel, it might be better if ZAP had REALLY EASY ways of pumping its results (esp. in a CI / headless model – nod to Eoin’s comment) into SonarQube, and other popular dashboards.

 

This would support the sensors approach to appsec that Jeff Williams talked about at AppSec USA last year: https://www.youtube.com/watch?v=cIvOth0fxmI 

 

I know ZAP has already gone a long way in this direction, and Simon did a talk on this at AppSec USA last year as well.

 

At a minimum, a CI environment should set ZAP up as a passive sensor to monitor all traffic to the test server and report all the header, cookie, and other passive results to some dashboard. And then more sophisticated organizations can use the active scanning capabilities, and or script up even more fancy stuff.

 

But if we can at least make all the passive capabilities of ZAP easy to setup in CI, and lash up to SonarQube and other dashboards, we’d have a bunch of easy and free sensors.

 

Simon – are you (or anyone) aware of any work building connectors between ZAP and SonarQube? I know there already are connectors for FindBugs, FindSecurityBugs, and other open source SAST tools, and also for many commercial tools like Fortify. What about the best free DAST tool (ZAP J ).

 

-Dave

 

From: owasp-leaders-bounces at lists.owasp.org [mailto:owasp-leaders-bounces at lists.owasp.org] On Behalf Of Mario Robles
Sent: Thursday, September 11, 2014 2:18 PM
To: Tony Turner; psiinon
Cc: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] How to increase ZAP takeup?

 

Thank you Simon, it's amazing the good work ZAP team is doing

side note, I must say, if ZAP would be able to import the findings from other tools like Burp, AppScan, WebInspect, FoD, Manual, etc with a possibility to edit findings, details, severities, etc and make a nice report, that's the tool I've been dreaming with for a long time, someone can say that ZAP it's not a repo like other tools out there for combining findings and I think that's exactly the reason why it should be included in a testing tool, having all findings from a Wpentest in one single tool where you can validate, build a PoC, grab a screenshot or remove False positives would be a dream come true

Mario

		

On 11/09/2014 11:17 a.m., Tony Turner wrote:

Getting ZAP included in popular pentest and security testing courses such as what SANS delivers would be very beneficial. People take these classes using Burp Free, and then go back to work and buy Pro and keep using it. Why would they switch to ZAP when they are already getting what they need from Burp? We need to either get ZAP in front of people just learning the tools or provide sufficient justification for people to switch from what they are already doing.  

 

 

 

On Thu, Sep 11, 2014 at 1:06 PM, psiinon <psiinon at gmail.com> wrote:

We have a REST API and clients written in Java, Python, Node.js, PHP and Ruby: https://code.google.com/p/zaproxy/wiki/ApiDetails :)

We also support all JSR 223 languages (including Jython) via the ZAP Script Console <https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts> .

 

Any questions about using them then let me know or ask on the ZAP Developer group <http://groups.google.com/group/zaproxy-develop> .

 

Cheers,

Simon

 

On Thu, Sep 11, 2014 at 5:42 PM, Mario Robles <mario.robles at owasp.org> wrote:

I would be very exited about having a possibility of writing python tools that can work with ZAP using some kind of integration API (sorry if this already exists and if so I'd like to know more about it)

I'm a WPT tools writer and I like to work with python (I'm sure many here do the same) so I think this is a good opportunity for ZAP

Back to the main question, here's my answer: if ZAP become friendly with the frameworks most of Pentesters use then ZAP will be loved by many of them

Mario 

 

		

On 11/09/2014 06:33 a.m., psiinon wrote:

I'd also like to point out that I specifically asked what people thought would be the best way to increase ZAP usage NOT what would cause _you_ to use ZAP :)

Do you really think that dropping java and porting to Python would increase ZAP takeup? ;)

 

On Thu, Sep 11, 2014 at 1:16 PM, psiinon <psiinon at gmail.com> wrote:

You're right, its not viable :)

 

On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org> wrote:

Personally the major reason I don’t like these tools is that they are Java based, and Java based apps are ugly and slow on OS X. If I led the project, I’d port to python or something else, but I know thats a very expensive decision and probably not viable. 

-A

 

On Sep 11, 2014, at 7:50 AM, Andrew Muller <andrew.muller at owasp.org> wrote:

 

A subtle advertising campaign could work


<pharoah bender endorses ZAP.jpg>

​

 

On Thu, Sep 11, 2014 at 8:59 PM, psiinon <psiinon at gmail.com> wrote:

Leaders,

As you hopefully know, ZAP is one of the most successful of all of the OWASP projects.

However I want to significantly increase its takeup, and for that I'd like your advice and guidance.

What do you think are the top 3 (or more) things we could do increase ZAP usage?

I'm not just asking about new features or technical changes (but please include those if you think they are important), but also advertizing, online presence, documentation, tutorial videos, conference talks, fluffy toys etc etc. 
Anything that you think will get more developers and security folk using ZAP.

I was going to start a poll, but I decided I didnt want to restrict or unduly influence your replies, so please "think out of the box" and other such cliches ;)

 

Feel free to reply on this thread or directly to me.

Many thanks,

Simon



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP>  Project leader


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders




-- 

____________________

Andrew Muller

Canberra OWASP Chapter Leader

OWASP Testing Guide Co-Leader

_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 




-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP>  Project leader




-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP>  Project leader





_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders

 




-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP>  Project leader


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





 

-- 
Tony Turner
OWASP Orlando Chapter Founder/Co-Leader
tony.turner at owasp.org 

https://www.owasp.org/index.php/Orlando 

 

 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140911/579b681b/attachment-0001.html>


More information about the OWASP-Leaders mailing list