[Owasp-leaders] How to increase ZAP takeup?

psiinon psiinon at gmail.com
Mon Sep 15 16:13:32 UTC 2014

I _really_ like the idea of an OWASP Ecology :)

Right now there isnt really any coherence in the OWASP projects, which isnt
really surprising considering how OWASP projects are developed.

One way to approach this would be to redefine the Flagship status to be
both an indication of quality _and_ an indication that the projects fit in
well to this new 'OWASP Ecology'.
We would need to define exactly what this means, but I think it could be a
really beneficial move for OWASP.

Any one else like this sort of approach?



On Sat, Sep 13, 2014 at 2:50 AM, Tony UV <tonyuv at owasp.org> wrote:

> To increase adoption and use of ZAP, I wanted to build off of Bill's
> comments by unifying some functional and marketing points.
> IMHO, the way to further proliferate ZAP is to establish a depiction of an
> OWASP ecology of tools and projects.  I think ZAP is in a position to align
> to multiple projects and integrate as part of a security assurance
> framework.
> From a marketing sense, the story line would be to adopt a security
> assurance framework and see how ZAP can help to test the following, which
> would all be some elements of a security assurance framework.
> - implementing pre-emptive controls/ countermeasures that reflect security
> standards that should be put into place as a security governance exercise.
>  Leverage as governance artifacts other OWASP projects like cheat sheets
> and ZAP could test against an app and validate the presence of a suggested
> countermeasure or secure design pattern that is in a cheat cheat.  So far
> linking a multiple of Cheat Sheet projects to ZAP (ecology growing).
> - Active scanner feature in ZAP could emulate OWASP Top 10 and incorporate
> better reporting on that.  To Bill's point, reporting and marketing around
> ZAP's future reporting could really generate some buzz. OWASP Top 10
> integration furthers this ecological depiction.
> - You've already integrated DirBuster and JBroFuzz which is awesome.
>  Leverage some of the deliberating broken web apps that we have as projects
> in both ready state (WebGoat, etc.) to ZAP, could provide a both a security
> awareness training (another discipline) and security testing discipline.
>  Problem is that in my experience, you'll need to ensure that such
> deliberately broken web app instances are discoverable by the active
> scanner in ZAP.  Obviously, manually using the proxy's ability to capture
> requests/responses, one can easily depict the flaws manually, but for
> complete noobs, the active scanner would illustrate and achieve the
> awareness component and generate the 'ah-ha' factor that is common with
> those just getting into app testing. From a security testing discipline,
> you can further this ecology idea by using the Application Security
> Verification Standard (Security Testing discipline). You can provide a
> 'mode' or experience where you can ask who the user is (Tester, Trainer,
> Developer) etc.  I think this greatly helps to provide greater ease of use
> b/c there are different people that are picking up ZAP and applying it
> today.
> Have this ecology as a framework for which users can interact with, via
> ZAP, provides a center point, which I think is extremely cool. Obviously,
> we have tons of projects and tools so you could have your own version of an
> OWASP Ecology and even better, allow for a front end RBAC model whose roles
> dictate what integrated projects are integrated into this dynamic ecology
> of projects.  its also great b/c it really unites tools with reference
> projects and extends beyond the Builders-Breakers,etc to illustrate how
> Security Assurance (at a very simplistic level) can be emulated from a ZAP
> based OWASP ecology of tools.
> I personally think that speaking of this OWASP ecology can provide for a
> multi-faceted marketing, training, talks where you don't only have one
> project leader but multiple project leaders speak to their respective
> ecology area and how its illustrated via ZAP testing.
> Separate from all of this, I highly think that a global survey on ZAP
> could be done and one that simply asks, 'Do AppSec? Top 3 reasons you don't
> have ZAP in your arsenal.'
> Best,
> Tony UV
> On Thu, Sep 11, 2014 at 8:33 AM, Bill Sempf <bill.sempf at owasp.org> wrote:
>> I've been doing a lot of work recently as an application vulnerability
>> tester, and there are two kinds of clients out there. There are those that
>> simply expect you to use burp and those who don't care what you use as long
>> as your results are good. So we have two targets.
>> To change clients that expect testers to use Burp:
>>  - Any chance the 'save state' file can be made Burp compatible?
>>  - I agree with whomever said reporting
>>  - Video series of solving tough testing problems with ZAP?
>>  - These are people that WOULD be swayed with conference booths and
>> plushies
>> To convince testers to use ZAP when the client doesn't care
>>  - even more work on the scanner. Burp's scanner is good.
>>  - Wizards to walk noobs through core functionality
>>  - I think the fuzzing tool is too hard to use but that might just be me
>>  - Content discovery. Maybe ZAP already has that and I just didn't know.
>> One perspective from one side of the biz, but there you go.
>> S
>> On Thu, Sep 11, 2014 at 8:22 AM, (P7N) Jason Johnson <
>> jason.johnson at p7n.net> wrote:
>>> What about reporting? Everyone loves a report of some kind. I think is
>>> has a bit of a reporting built in. There are lots of reporting engines like
>>> birt and adding a reply maker to it would be sweet. What do you think?
>>> On September 11, 2014 7:16:21 AM CDT, psiinon <psiinon at gmail.com> wrote:
>>>> You're right, its not viable :)
>>>> On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org> wrote:
>>>>> Personally the major reason I don’t like these tools is that they are
>>>>> Java based, and Java based apps are ugly and slow on OS X. If I led the
>>>>> project, I’d port to python or something else, but I know thats a very
>>>>> expensive decision and probably not viable.
>>>>> -A
>>>>> On Sep 11, 2014, at 7:50 AM, Andrew Muller <andrew.muller at owasp.org>
>>>>> wrote:
>>>>> A subtle advertising campaign could work
>>>>> <pharoah bender endorses ZAP.jpg>
>>>>> On Thu, Sep 11, 2014 at 8:59 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>> Leaders,
>>>>>> As you hopefully know, ZAP is one of the most successful of all of
>>>>>> the OWASP projects.
>>>>>> However I want to significantly increase its takeup, and for that I'd
>>>>>> like your advice and guidance.
>>>>>> *What do you think are the top 3 (or more) things we could do
>>>>>> increase ZAP usage?*
>>>>>> I'm not just asking about new features or technical changes (but
>>>>>> please include those if you think they are important), but also
>>>>>> advertizing, online presence, documentation, tutorial videos, conference
>>>>>> talks, fluffy toys etc etc.
>>>>>> Anything that you think will get more developers and security folk
>>>>>> using ZAP.
>>>>>> I was going to start a poll, but I decided I didnt want to restrict
>>>>>> or unduly influence your replies, so please "think out of the box" and
>>>>>> other such cliches ;)
>>>>>> Feel free to reply on this thread or directly to me.
>>>>>> Many thanks,
>>>>>> Simon
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>> _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> --
>>>>> ____________________
>>>>> *Andrew Muller*
>>>>> Canberra OWASP Chapter Leader
>>>>> OWASP Testing Guide Co-Leader
>>>>>  _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> Jason Johnson
>>> cell: 405-875-4413
>>> ProjectSeven Networks™
>>> ___
>>> 💻because data is beautiful...
>>> 🌲please do not print this email.
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140915/90218d47/attachment-0001.html>

More information about the OWASP-Leaders mailing list