[Owasp-leaders] How to increase ZAP takeup?

Tony UV tonyuv at owasp.org
Sat Sep 13 01:50:58 UTC 2014

To increase adoption and use of ZAP, I wanted to build off of Bill's
comments by unifying some functional and marketing points.

IMHO, the way to further proliferate ZAP is to establish a depiction of an
OWASP ecology of tools and projects.  I think ZAP is in a position to align
to multiple projects and integrate as part of a security assurance

>From a marketing sense, the story line would be to adopt a security
assurance framework and see how ZAP can help to test the following, which
would all be some elements of a security assurance framework.

- implementing pre-emptive controls/ countermeasures that reflect security
standards that should be put into place as a security governance exercise.
 Leverage as governance artifacts other OWASP projects like cheat sheets
and ZAP could test against an app and validate the presence of a suggested
countermeasure or secure design pattern that is in a cheat cheat.  So far
linking a multiple of Cheat Sheet projects to ZAP (ecology growing).
- Active scanner feature in ZAP could emulate OWASP Top 10 and incorporate
better reporting on that.  To Bill's point, reporting and marketing around
ZAP's future reporting could really generate some buzz. OWASP Top 10
integration furthers this ecological depiction.
- You've already integrated DirBuster and JBroFuzz which is awesome.
 Leverage some of the deliberating broken web apps that we have as projects
in both ready state (WebGoat, etc.) to ZAP, could provide a both a security
awareness training (another discipline) and security testing discipline.
 Problem is that in my experience, you'll need to ensure that such
deliberately broken web app instances are discoverable by the active
scanner in ZAP.  Obviously, manually using the proxy's ability to capture
requests/responses, one can easily depict the flaws manually, but for
complete noobs, the active scanner would illustrate and achieve the
awareness component and generate the 'ah-ha' factor that is common with
those just getting into app testing. From a security testing discipline,
you can further this ecology idea by using the Application Security
Verification Standard (Security Testing discipline). You can provide a
'mode' or experience where you can ask who the user is (Tester, Trainer,
Developer) etc.  I think this greatly helps to provide greater ease of use
b/c there are different people that are picking up ZAP and applying it

Have this ecology as a framework for which users can interact with, via
ZAP, provides a center point, which I think is extremely cool. Obviously,
we have tons of projects and tools so you could have your own version of an
OWASP Ecology and even better, allow for a front end RBAC model whose roles
dictate what integrated projects are integrated into this dynamic ecology
of projects.  its also great b/c it really unites tools with reference
projects and extends beyond the Builders-Breakers,etc to illustrate how
Security Assurance (at a very simplistic level) can be emulated from a ZAP
based OWASP ecology of tools.

I personally think that speaking of this OWASP ecology can provide for a
multi-faceted marketing, training, talks where you don't only have one
project leader but multiple project leaders speak to their respective
ecology area and how its illustrated via ZAP testing.

Separate from all of this, I highly think that a global survey on ZAP could
be done and one that simply asks, 'Do AppSec? Top 3 reasons you don't have
ZAP in your arsenal.'


Tony UV

On Thu, Sep 11, 2014 at 8:33 AM, Bill Sempf <bill.sempf at owasp.org> wrote:

> I've been doing a lot of work recently as an application vulnerability
> tester, and there are two kinds of clients out there. There are those that
> simply expect you to use burp and those who don't care what you use as long
> as your results are good. So we have two targets.
> To change clients that expect testers to use Burp:
>  - Any chance the 'save state' file can be made Burp compatible?
>  - I agree with whomever said reporting
>  - Video series of solving tough testing problems with ZAP?
>  - These are people that WOULD be swayed with conference booths and
> plushies
> To convince testers to use ZAP when the client doesn't care
>  - even more work on the scanner. Burp's scanner is good.
>  - Wizards to walk noobs through core functionality
>  - I think the fuzzing tool is too hard to use but that might just be me
>  - Content discovery. Maybe ZAP already has that and I just didn't know.
> One perspective from one side of the biz, but there you go.
> S
> On Thu, Sep 11, 2014 at 8:22 AM, (P7N) Jason Johnson <
> jason.johnson at p7n.net> wrote:
>> What about reporting? Everyone loves a report of some kind. I think is
>> has a bit of a reporting built in. There are lots of reporting engines like
>> birt and adding a reply maker to it would be sweet. What do you think?
>> On September 11, 2014 7:16:21 AM CDT, psiinon <psiinon at gmail.com> wrote:
>>> You're right, its not viable :)
>>> On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org> wrote:
>>>> Personally the major reason I don’t like these tools is that they are
>>>> Java based, and Java based apps are ugly and slow on OS X. If I led the
>>>> project, I’d port to python or something else, but I know thats a very
>>>> expensive decision and probably not viable.
>>>> -A
>>>> On Sep 11, 2014, at 7:50 AM, Andrew Muller <andrew.muller at owasp.org>
>>>> wrote:
>>>> A subtle advertising campaign could work
>>>> <pharoah bender endorses ZAP.jpg>
>>>> On Thu, Sep 11, 2014 at 8:59 PM, psiinon <psiinon at gmail.com> wrote:
>>>>> Leaders,
>>>>> As you hopefully know, ZAP is one of the most successful of all of the
>>>>> OWASP projects.
>>>>> However I want to significantly increase its takeup, and for that I'd
>>>>> like your advice and guidance.
>>>>> *What do you think are the top 3 (or more) things we could do increase
>>>>> ZAP usage?*
>>>>> I'm not just asking about new features or technical changes (but
>>>>> please include those if you think they are important), but also
>>>>> advertizing, online presence, documentation, tutorial videos, conference
>>>>> talks, fluffy toys etc etc.
>>>>> Anything that you think will get more developers and security folk
>>>>> using ZAP.
>>>>> I was going to start a poll, but I decided I didnt want to restrict or
>>>>> unduly influence your replies, so please "think out of the box" and other
>>>>> such cliches ;)
>>>>> Feel free to reply on this thread or directly to me.
>>>>> Many thanks,
>>>>> Simon
>>>>> --
>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> --
>>>> ____________________
>>>> *Andrew Muller*
>>>> Canberra OWASP Chapter Leader
>>>> OWASP Testing Guide Co-Leader
>>>>  _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> Jason Johnson
>> cell: 405-875-4413
>> ProjectSeven Networks™
>> ___
>> 💻because data is beautiful...
>> 🌲please do not print this email.
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140912/24742373/attachment.html>

More information about the OWASP-Leaders mailing list