[Owasp-leaders] How to increase ZAP takeup?

psiinon psiinon at gmail.com
Mon Sep 15 15:25:18 UTC 2014


I dont really see ZAP as a tool aggregator - there are other tools that are
already focusing on this, like OWTF, ThreadFix and Minion.
I wouldnt have a problem with someone extending ZAP to include data from
other tools, but its not something I can see myself working on.

On Thu, Sep 11, 2014 at 7:18 PM, Mario Robles <mario.robles at owasp.org>
wrote:

>  Thank you Simon, it's amazing the good work ZAP team is doing
>
> Tony I agree with you on this, I provide some Pentesting courses and I
> have to be honest, I use Burp as part of the testing framework during the
> courses, this is just my opinion but things like my previous question
> (other tools integration) it's something that can make people to move from
> other tools, if ZAP target trainers and convince them like Simon just did
> with me then trainers will start using it as part of their courses
>
> A very valid point for ZAP compared to Burp is that Burp free don't allow
> the user to save the state for being analyzed later and ZAP do that for
> free, merchandizing the advantages, features (like the ones I wasn't aware
> of) and coming improvements seems to be key
>
> side note, I must say, if ZAP would be able to import the findings from
> other tools like Burp, AppScan, WebInspect, FoD, Manual, etc with a
> possibility to edit findings, details, severities, etc and make a nice
> report, that's the tool I've been dreaming with for a long time, someone
> can say that ZAP it's not a repo like other tools out there for combining
> findings and I think that's exactly the reason why it should be included in
> a testing tool, having all findings from a Wpentest in one single tool
> where you can validate, build a PoC, grab a screenshot or remove False
> positives would be a dream come true
>
> Mario
>
>
>
>    On 11/09/2014 11:17 a.m., Tony Turner wrote:
>
> Getting ZAP included in popular pentest and security testing courses such
> as what SANS delivers would be very beneficial. People take these classes
> using Burp Free, and then go back to work and buy Pro and keep using it.
> Why would they switch to ZAP when they are already getting what they need
> from Burp? We need to either get ZAP in front of people just learning the
> tools or provide sufficient justification for people to switch from what
> they are already doing.
>
>
>
> On Thu, Sep 11, 2014 at 1:06 PM, psiinon <psiinon at gmail.com> wrote:
>
>>  We have a REST API and clients written in Java, Python, Node.js, PHP
>> and Ruby: https://code.google.com/p/zaproxy/wiki/ApiDetails :)
>>
>>  We also support all JSR 223 languages (including Jython) via the ZAP Script
>> Console <https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts>
>> .
>>
>>  Any questions about using them then let me know or ask on the ZAP
>> Developer group <http://groups.google.com/group/zaproxy-develop>.
>>
>>  Cheers,
>>
>>  Simon
>>
>> On Thu, Sep 11, 2014 at 5:42 PM, Mario Robles <mario.robles at owasp.org>
>> wrote:
>>
>>>  I would be very exited about having a possibility of writing python
>>> tools that can work with ZAP using some kind of integration API (sorry if
>>> this already exists and if so I'd like to know more about it)
>>>
>>> I'm a WPT tools writer and I like to work with python (I'm sure many
>>> here do the same) so I think this is a good opportunity for ZAP
>>>
>>> Back to the main question, here's my answer: if ZAP become friendly with
>>> the frameworks most of Pentesters use then ZAP will be loved by many of them
>>>
>>> Mario
>>>
>>>
>>>
>>>    On 11/09/2014 06:33 a.m., psiinon wrote:
>>>
>>>  I'd also like to point out that I specifically asked what people
>>> thought would be the best way to increase ZAP usage NOT what would cause
>>> _you_ to use ZAP :)
>>>  Do you really think that dropping java and porting to Python would
>>> increase ZAP takeup? ;)
>>>
>>> On Thu, Sep 11, 2014 at 1:16 PM, psiinon <psiinon at gmail.com> wrote:
>>>
>>>> You're right, its not viable :)
>>>>
>>>> On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org> wrote:
>>>>
>>>>> Personally the major reason I don’t like these tools is that they are
>>>>> Java based, and Java based apps are ugly and slow on OS X. If I led the
>>>>> project, I’d port to python or something else, but I know thats a very
>>>>> expensive decision and probably not viable.
>>>>> -A
>>>>>
>>>>>  On Sep 11, 2014, at 7:50 AM, Andrew Muller <andrew.muller at owasp.org>
>>>>> wrote:
>>>>>
>>>>>  A subtle advertising campaign could work
>>>>>
>>>>> <pharoah bender endorses ZAP.jpg>
>>>>>
>>>>>>>>>>
>>>>> On Thu, Sep 11, 2014 at 8:59 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>>>     Leaders,
>>>>>>
>>>>>>  As you hopefully know, ZAP is one of the most successful of all of
>>>>>> the OWASP projects.
>>>>>>
>>>>>>  However I want to significantly increase its takeup, and for that
>>>>>> I'd like your advice and guidance.
>>>>>>
>>>>>>  *What do you think are the top 3 (or more) things we could do
>>>>>> increase ZAP usage?*
>>>>>>
>>>>>>  I'm not just asking about new features or technical changes (but
>>>>>> please include those if you think they are important), but also
>>>>>> advertizing, online presence, documentation, tutorial videos, conference
>>>>>> talks, fluffy toys etc etc.
>>>>>> Anything that you think will get more developers and security folk
>>>>>> using ZAP.
>>>>>>
>>>>>>  I was going to start a poll, but I decided I didnt want to restrict
>>>>>> or unduly influence your replies, so please "think out of the box" and
>>>>>> other such cliches ;)
>>>>>>
>>>>>>  Feel free to reply on this thread or directly to me.
>>>>>>
>>>>>>  Many thanks,
>>>>>>
>>>>>>  Simon
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> --
>>>>>   ____________________
>>>>>  *Andrew Muller*
>>>>>  Canberra OWASP Chapter Leader
>>>>>  OWASP Testing Guide Co-Leader
>>>>>  _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>
>>>
>>>
>>> --
>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>
>>
>> --
>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
>  --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> tony.turner at owasp.org
> https://www.owasp.org/index.php/Orlando
>
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140915/f966606a/attachment-0001.html>


More information about the OWASP-Leaders mailing list