[Owasp-leaders] ZAP as a Service

jan.kopecky at owasp.org jan.kopecky at owasp.org
Tue Jun 2 20:41:47 UTC 2015


Hello all,


I believe most of you already know this, but just to be sure:


https://code.google.com/p/mustache-security/



Mario is responsible for this one. Very interesting reading when dealing with any JS MVC Framework.


Thank you,


Jan






Sent from Surface Pro





From: Jim Manico
Sent: ‎Saturday‎, ‎May‎ ‎30‎, ‎2015 ‎5‎:‎54‎ ‎AM
To: Matt Tesauro, Eoin Keary
Cc: owasp-leaders at lists.owasp.org




Whoa!

> Assuming you will do a REST API, I'd strongly suggest you shoot for level 2 or ideally level 3 that Fowler writes about at: 
http://martinfowler.com/articles/richardsonMaturityModel.html

What a great REST resource. It's very helpful in terms of education. Thanks for passing this along, Matt.

Looking to seeing ZaaS go live. :)

Aloha,
Jim






On 5/29/15 12:28 PM, Matt Tesauro wrote:



> the backend can be 100% API based 



Which is awesome for those of us who want to automate and completely skip the UI.




Assuming you will do a REST API, I'd strongly suggest you shoot for level 2 or ideally level 3 that Fowler writes about at:

http://martinfowler.com/articles/richardsonMaturityModel.html




It will make your (and your users) interaction with the API much nicer from a programming perspective.




Keep up the stellar ZAP work! 




--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site 
OWASP OpenStack Security Project Lead 
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project


On Fri, May 29, 2015 at 3:28 AM, Eoin Keary <eoin.keary at owasp.org> wrote:



If you use angular the backend can be 100% API based which reduced the work and also open up a rich API for headless mode.

Eoin Keary 
BCC Risk Advisory - edgescan CTO

Gartner "notable vendor" MSSP MQ










On 29 May 2015, at 08:45, The Black Labrador <mike.goodwin at owasp.org> wrote:






Angular 2 is a worry. All the signs are that migration from v1 is not going to be a high priority for them. Mobile first, then larger firm factors then migration...maybe.

Angular is great, but they will lose a lot of trust and users in my opinion.

Mike



From: Dinis Cruz
Sent: ‎28/‎05/‎2015 17:17
To: Jim Manico
Cc: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] ZAP as a Service



yeah Angular is great (we're using that too), it's a bit weird what is going on with angular 2.0, which opens up the game to other frameworks like React.js 



And from a security point of view, as Jim mentioned Angular has a really good security story




Dinis



On 28 May 2015 at 16:27, Jim Manico <jim.manico at owasp.org> wrote:


I personally recommend Angular templates. This is quickly becoming the defacto-standard for XSS resistant templating. It's one of the only popular context-aware auto-escaping templates, it has a built-in HTML sanitizer, and it offers an integrated CSP module.

If you have a greenfield project choice - go angular. Just make sure your developers are using the HTML sanitizer anytime they disable escaping for a certain field.

Aloha,
Jim 







On 5/28/15 4:38 PM, Dinis Cruz wrote:



Let me (or Michael Hidalgo from OWASP in Costa Rica) know If you want a NodeJS front-end that runs with Jade Templates (with no or minimal Javascript)  



That is what we spend our days coding in :)




Dinis



On 28 May 2015 at 13:40, psiinon <psiinon at gmail.com> wrote:






We certainly dont want to hand-craft a load of JS and cope with all of the different browser variations ;)

So yes, I expect we'll be using a JS framework.
I've started investigating them, but its early days - this is one we'll definitely be discussing on the ZAP Developer Group.



Cheers,

Simon





On Thu, May 28, 2015 at 1:36 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:


Hi Simon 






You mentioned you will use HTML5 , are you planning to use this in combination with any JavaScript frameworks or the use of JSP could be implemented?




regards




Johanna





On Thu, May 28, 2015 at 7:23 AM, psiinon <psiinon at gmail.com> wrote:








Leaders,



Last week at Amsterdam I announced a new direction for ZAP - ZAP as a Service (ZaaS).

I've just published a blog post which gives a few more details: http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html


I think this is a major development for ZAP, which is why I've posted to this list ;)




Cheers,

Simon





-- 

OWASP ZAP Project leader


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





-- 

OWASP ZAP Project leader


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150602/7bce621e/attachment-0001.html>


More information about the OWASP-Leaders mailing list