[Owasp-leaders] How to increase ZAP takeup?

psiinon psiinon at gmail.com
Mon Sep 15 15:30:29 UTC 2014


I hadnt heard of SonarQube - thanks for the suggestion, it looks very
interesting.
I'll get in touch with them.

On Fri, Sep 12, 2014 at 1:18 AM, Dave Wichers <dave.wichers at owasp.org>
wrote:

> There are other projects out there (none at OWASP?) that are working on
> consuming results from other tools. A large (non-security specific) free
> tool that I’m starting to see a lot of adoption is SonarQube.
>
>
>
> So, rather than have ZAP reinvent the wheel, it might be better if ZAP had
> REALLY EASY ways of pumping its results (esp. in a CI / headless model –
> nod to Eoin’s comment) into SonarQube, and other popular dashboards.
>
>
>
> This would support the sensors approach to appsec that Jeff Williams
> talked about at AppSec USA last year:
> https://www.youtube.com/watch?v=cIvOth0fxmI
>
>
>
> I know ZAP has already gone a long way in this direction, and Simon did a
> talk on this at AppSec USA last year as well.
>
>
>
> At a minimum, a CI environment should set ZAP up as a passive sensor to
> monitor all traffic to the test server and report all the header, cookie,
> and other passive results to some dashboard. And then more sophisticated
> organizations can use the active scanning capabilities, and or script up
> even more fancy stuff.
>
>
>
> But if we can at least make all the passive capabilities of ZAP easy to
> setup in CI, and lash up to SonarQube and other dashboards, we’d have a
> bunch of easy and free sensors.
>
>
>
> Simon – are you (or anyone) aware of any work building connectors between
> ZAP and SonarQube? I know there already are connectors for FindBugs,
> FindSecurityBugs, and other open source SAST tools, and also for many
> commercial tools like Fortify. What about the best free DAST tool (ZAP J
> ).
>
>
>
> -Dave
>
>
>
> *From:* owasp-leaders-bounces at lists.owasp.org [mailto:
> owasp-leaders-bounces at lists.owasp.org] *On Behalf Of *Mario Robles
> *Sent:* Thursday, September 11, 2014 2:18 PM
> *To:* Tony Turner; psiinon
> *Cc:* owasp-leaders at lists.owasp.org
> *Subject:* Re: [Owasp-leaders] How to increase ZAP takeup?
>
>
>
> Thank you Simon, it's amazing the good work ZAP team is doing
>
> side note, I must say, if ZAP would be able to import the findings from
> other tools like Burp, AppScan, WebInspect, FoD, Manual, etc with a
> possibility to edit findings, details, severities, etc and make a nice
> report, that's the tool I've been dreaming with for a long time, someone
> can say that ZAP it's not a repo like other tools out there for combining
> findings and I think that's exactly the reason why it should be included in
> a testing tool, having all findings from a Wpentest in one single tool
> where you can validate, build a PoC, grab a screenshot or remove False
> positives would be a dream come true
>
> Mario
>
> On 11/09/2014 11:17 a.m., Tony Turner wrote:
>
> Getting ZAP included in popular pentest and security testing courses such
> as what SANS delivers would be very beneficial. People take these classes
> using Burp Free, and then go back to work and buy Pro and keep using it.
> Why would they switch to ZAP when they are already getting what they need
> from Burp? We need to either get ZAP in front of people just learning the
> tools or provide sufficient justification for people to switch from what
> they are already doing.
>
>
>
>
>
>
>
> On Thu, Sep 11, 2014 at 1:06 PM, psiinon <psiinon at gmail.com> wrote:
>
> We have a REST API and clients written in Java, Python, Node.js, PHP and
> Ruby: https://code.google.com/p/zaproxy/wiki/ApiDetails :)
>
> We also support all JSR 223 languages (including Jython) via the ZAP Script
> Console <https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts>.
>
>
>
> Any questions about using them then let me know or ask on the ZAP
> Developer group <http://groups.google.com/group/zaproxy-develop>.
>
>
>
> Cheers,
>
> Simon
>
>
>
> On Thu, Sep 11, 2014 at 5:42 PM, Mario Robles <mario.robles at owasp.org>
> wrote:
>
> I would be very exited about having a possibility of writing python tools
> that can work with ZAP using some kind of integration API (sorry if this
> already exists and if so I'd like to know more about it)
>
> I'm a WPT tools writer and I like to work with python (I'm sure many here
> do the same) so I think this is a good opportunity for ZAP
>
> Back to the main question, here's my answer: if ZAP become friendly with
> the frameworks most of Pentesters use then ZAP will be loved by many of them
>
> Mario
>
>
>
> On 11/09/2014 06:33 a.m., psiinon wrote:
>
> I'd also like to point out that I specifically asked what people thought
> would be the best way to increase ZAP usage NOT what would cause _you_ to
> use ZAP :)
>
> Do you really think that dropping java and porting to Python would
> increase ZAP takeup? ;)
>
>
>
> On Thu, Sep 11, 2014 at 1:16 PM, psiinon <psiinon at gmail.com> wrote:
>
> You're right, its not viable :)
>
>
>
> On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org> wrote:
>
> Personally the major reason I don’t like these tools is that they are Java
> based, and Java based apps are ugly and slow on OS X. If I led the project,
> I’d port to python or something else, but I know thats a very expensive
> decision and probably not viable.
>
> -A
>
>
>
> On Sep 11, 2014, at 7:50 AM, Andrew Muller <andrew.muller at owasp.org>
> wrote:
>
>
>
> A subtle advertising campaign could work
>
>
> <pharoah bender endorses ZAP.jpg>
>
>>
>
>
> On Thu, Sep 11, 2014 at 8:59 PM, psiinon <psiinon at gmail.com> wrote:
>
> Leaders,
>
> As you hopefully know, ZAP is one of the most successful of all of the
> OWASP projects.
>
> However I want to significantly increase its takeup, and for that I'd like
> your advice and guidance.
>
> *What do you think are the top 3 (or more) things we could do increase ZAP
> usage?*
>
> I'm not just asking about new features or technical changes (but please
> include those if you think they are important), but also advertizing,
> online presence, documentation, tutorial videos, conference talks, fluffy
> toys etc etc.
> Anything that you think will get more developers and security folk using
> ZAP.
>
> I was going to start a poll, but I decided I didnt want to restrict or
> unduly influence your replies, so please "think out of the box" and other
> such cliches ;)
>
>
>
> Feel free to reply on this thread or directly to me.
>
> Many thanks,
>
> Simon
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> --
>
> ____________________
>
> *Andrew Muller*
>
> Canberra OWASP Chapter Leader
>
> OWASP Testing Guide Co-Leader
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
>
> _______________________________________________
>
> OWASP-Leaders mailing list
>
> OWASP-Leaders at lists.owasp.org
>
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
> --
> Tony Turner
> OWASP Orlando Chapter Founder/Co-Leader
> tony.turner at owasp.org
>
> https://www.owasp.org/index.php/Orlando
>
>
>
>
>



-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140915/6ce65580/attachment.html>


More information about the OWASP-Leaders mailing list