[Owasp-leaders] How to increase ZAP takeup?

johanna curiel curiel johanna.curiel at owasp.org
Mon Sep 15 16:40:26 UTC 2014

>Any one else like this sort of approach?

I do. I'm working on a "mapping" of projects code/tools based on the area
of security they are  working on and level of maturity



On Mon, Sep 15, 2014 at 12:13 PM, psiinon <psiinon at gmail.com> wrote:

> I _really_ like the idea of an OWASP Ecology :)
> Right now there isnt really any coherence in the OWASP projects, which
> isnt really surprising considering how OWASP projects are developed.
> One way to approach this would be to redefine the Flagship status to be
> both an indication of quality _and_ an indication that the projects fit in
> well to this new 'OWASP Ecology'.
> We would need to define exactly what this means, but I think it could be a
> really beneficial move for OWASP.
> Any one else like this sort of approach?
> Cheers,
> Simon
> On Sat, Sep 13, 2014 at 2:50 AM, Tony UV <tonyuv at owasp.org> wrote:
>> To increase adoption and use of ZAP, I wanted to build off of Bill's
>> comments by unifying some functional and marketing points.
>> IMHO, the way to further proliferate ZAP is to establish a depiction of
>> an OWASP ecology of tools and projects.  I think ZAP is in a position to
>> align to multiple projects and integrate as part of a security assurance
>> framework.
>> From a marketing sense, the story line would be to adopt a security
>> assurance framework and see how ZAP can help to test the following, which
>> would all be some elements of a security assurance framework.
>> - implementing pre-emptive controls/ countermeasures that reflect
>> security standards that should be put into place as a security governance
>> exercise.  Leverage as governance artifacts other OWASP projects like cheat
>> sheets and ZAP could test against an app and validate the presence of a
>> suggested countermeasure or secure design pattern that is in a cheat cheat.
>>  So far linking a multiple of Cheat Sheet projects to ZAP (ecology growing).
>> - Active scanner feature in ZAP could emulate OWASP Top 10 and
>> incorporate better reporting on that.  To Bill's point, reporting and
>> marketing around ZAP's future reporting could really generate some buzz.
>> OWASP Top 10 integration furthers this ecological depiction.
>> - You've already integrated DirBuster and JBroFuzz which is awesome.
>>  Leverage some of the deliberating broken web apps that we have as projects
>> in both ready state (WebGoat, etc.) to ZAP, could provide a both a security
>> awareness training (another discipline) and security testing discipline.
>>  Problem is that in my experience, you'll need to ensure that such
>> deliberately broken web app instances are discoverable by the active
>> scanner in ZAP.  Obviously, manually using the proxy's ability to capture
>> requests/responses, one can easily depict the flaws manually, but for
>> complete noobs, the active scanner would illustrate and achieve the
>> awareness component and generate the 'ah-ha' factor that is common with
>> those just getting into app testing. From a security testing discipline,
>> you can further this ecology idea by using the Application Security
>> Verification Standard (Security Testing discipline). You can provide a
>> 'mode' or experience where you can ask who the user is (Tester, Trainer,
>> Developer) etc.  I think this greatly helps to provide greater ease of use
>> b/c there are different people that are picking up ZAP and applying it
>> today.
>> Have this ecology as a framework for which users can interact with, via
>> ZAP, provides a center point, which I think is extremely cool. Obviously,
>> we have tons of projects and tools so you could have your own version of an
>> OWASP Ecology and even better, allow for a front end RBAC model whose roles
>> dictate what integrated projects are integrated into this dynamic ecology
>> of projects.  its also great b/c it really unites tools with reference
>> projects and extends beyond the Builders-Breakers,etc to illustrate how
>> Security Assurance (at a very simplistic level) can be emulated from a ZAP
>> based OWASP ecology of tools.
>> I personally think that speaking of this OWASP ecology can provide for a
>> multi-faceted marketing, training, talks where you don't only have one
>> project leader but multiple project leaders speak to their respective
>> ecology area and how its illustrated via ZAP testing.
>> Separate from all of this, I highly think that a global survey on ZAP
>> could be done and one that simply asks, 'Do AppSec? Top 3 reasons you don't
>> have ZAP in your arsenal.'
>> Best,
>> Tony UV
>> On Thu, Sep 11, 2014 at 8:33 AM, Bill Sempf <bill.sempf at owasp.org> wrote:
>>> I've been doing a lot of work recently as an application vulnerability
>>> tester, and there are two kinds of clients out there. There are those that
>>> simply expect you to use burp and those who don't care what you use as long
>>> as your results are good. So we have two targets.
>>> To change clients that expect testers to use Burp:
>>>  - Any chance the 'save state' file can be made Burp compatible?
>>>  - I agree with whomever said reporting
>>>  - Video series of solving tough testing problems with ZAP?
>>>  - These are people that WOULD be swayed with conference booths and
>>> plushies
>>> To convince testers to use ZAP when the client doesn't care
>>>  - even more work on the scanner. Burp's scanner is good.
>>>  - Wizards to walk noobs through core functionality
>>>  - I think the fuzzing tool is too hard to use but that might just be me
>>>  - Content discovery. Maybe ZAP already has that and I just didn't know.
>>> One perspective from one side of the biz, but there you go.
>>> S
>>> On Thu, Sep 11, 2014 at 8:22 AM, (P7N) Jason Johnson <
>>> jason.johnson at p7n.net> wrote:
>>>> What about reporting? Everyone loves a report of some kind. I think is
>>>> has a bit of a reporting built in. There are lots of reporting engines like
>>>> birt and adding a reply maker to it would be sweet. What do you think?
>>>> On September 11, 2014 7:16:21 AM CDT, psiinon <psiinon at gmail.com>
>>>> wrote:
>>>>> You're right, its not viable :)
>>>>> On Thu, Sep 11, 2014 at 1:11 PM, <abbas.naderi at owasp.org> wrote:
>>>>>> Personally the major reason I don’t like these tools is that they are
>>>>>> Java based, and Java based apps are ugly and slow on OS X. If I led the
>>>>>> project, I’d port to python or something else, but I know thats a very
>>>>>> expensive decision and probably not viable.
>>>>>> -A
>>>>>> On Sep 11, 2014, at 7:50 AM, Andrew Muller <andrew.muller at owasp.org>
>>>>>> wrote:
>>>>>> A subtle advertising campaign could work
>>>>>> <pharoah bender endorses ZAP.jpg>
>>>>>> On Thu, Sep 11, 2014 at 8:59 PM, psiinon <psiinon at gmail.com> wrote:
>>>>>>> Leaders,
>>>>>>> As you hopefully know, ZAP is one of the most successful of all of
>>>>>>> the OWASP projects.
>>>>>>> However I want to significantly increase its takeup, and for that
>>>>>>> I'd like your advice and guidance.
>>>>>>> *What do you think are the top 3 (or more) things we could do
>>>>>>> increase ZAP usage?*
>>>>>>> I'm not just asking about new features or technical changes (but
>>>>>>> please include those if you think they are important), but also
>>>>>>> advertizing, online presence, documentation, tutorial videos, conference
>>>>>>> talks, fluffy toys etc etc.
>>>>>>> Anything that you think will get more developers and security folk
>>>>>>> using ZAP.
>>>>>>> I was going to start a poll, but I decided I didnt want to restrict
>>>>>>> or unduly influence your replies, so please "think out of the box" and
>>>>>>> other such cliches ;)
>>>>>>> Feel free to reply on this thread or directly to me.
>>>>>>> Many thanks,
>>>>>>> Simon
>>>>>>> --
>>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>> --
>>>>>> ____________________
>>>>>> *Andrew Muller*
>>>>>> Canberra OWASP Chapter Leader
>>>>>> OWASP Testing Guide Co-Leader
>>>>>>  _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> Jason Johnson
>>>> cell: 405-875-4413
>>>> ProjectSeven Networks™
>>>> ___
>>>> 💻because data is beautiful...
>>>> 🌲please do not print this email.
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20140915/dbdb4ead/attachment.html>

More information about the OWASP-Leaders mailing list