[Owasp-leaders] ZAP as a Service

Matt Tesauro matt.tesauro at owasp.org
Tue Jun 2 23:50:29 UTC 2015


JIm,

Been using that in my WTE + REST class for a while now - it was the best
resource I found on how to measure the maturity of a REST API.

Enjoy!

--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site
OWASP OpenStack Security Project Lead
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project

On Fri, May 29, 2015 at 10:54 PM, Jim Manico <jim.manico at owasp.org> wrote:

>  Whoa!
>
> > Assuming you will do a REST API, I'd strongly suggest you shoot for
> level 2 or ideally level 3 that Fowler writes about at:
> http://martinfowler.com/articles/richardsonMaturityModel.html
>
> What a great REST resource. It's very helpful in terms of education.
> Thanks for passing this along, Matt.
>
> Looking to seeing ZaaS go live. :)
>
> Aloha,
> Jim
>
>
>
>
> On 5/29/15 12:28 PM, Matt Tesauro wrote:
>
> > the backend can be 100% API based
>
>  Which is awesome for those of us who want to automate and completely
> skip the UI.
>
>  Assuming you will do a REST API, I'd strongly suggest you shoot for
> level 2 or ideally level 3 that Fowler writes about at:
> http://martinfowler.com/articles/richardsonMaturityModel.html
>
>  It will make your (and your users) interaction with the API much nicer
> from a programming perspective.
>
>  Keep up the stellar ZAP work!
>
>  --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
> On Fri, May 29, 2015 at 3:28 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>
>>  If you use angular the backend can be 100% API based which reduced the
>> work and also open up a rich API for headless mode.
>>
>> Eoin Keary
>> BCC Risk Advisory - edgescan CTO
>> Gartner "notable vendor" MSSP MQ
>>
>>
>>
>> On 29 May 2015, at 08:45, The Black Labrador <mike.goodwin at owasp.org>
>> wrote:
>>
>>   Angular 2 is a worry. All the signs are that migration from v1 is not
>> going to be a high priority for them. Mobile first, then larger firm
>> factors then migration...maybe.
>>
>> Angular is great, but they will lose a lot of trust and users in my
>> opinion.
>>
>> Mike
>>  ------------------------------
>> From: Dinis Cruz <dinis.cruz at owasp.org>
>> Sent: ‎28/‎05/‎2015 17:17
>> To: Jim Manico <jim.manico at owasp.org>
>> Cc: owasp-leaders at lists.owasp.org
>> Subject: Re: [Owasp-leaders] ZAP as a Service
>>
>>  yeah Angular is great (we're using that too), it's a bit weird what is
>> going on with angular 2.0, which opens up the game to other frameworks like
>> React.js
>>
>>  And from a security point of view, as Jim mentioned Angular has a
>> really good security story
>>
>>  Dinis
>>
>> On 28 May 2015 at 16:27, Jim Manico <jim.manico at owasp.org> wrote:
>>
>>>  I personally recommend Angular templates. This is quickly becoming the
>>> defacto-standard for XSS resistant templating. It's one of the only popular
>>> context-aware auto-escaping templates, it has a built-in HTML sanitizer,
>>> and it offers an integrated CSP module.
>>>
>>> If you have a greenfield project choice - go angular. Just make sure
>>> your developers are using the HTML sanitizer anytime they disable escaping
>>> for a certain field.
>>>
>>> Aloha,
>>> Jim
>>>
>>>
>>>
>>>
>>>
>>> On 5/28/15 4:38 PM, Dinis Cruz wrote:
>>>
>>> Let me (or Michael Hidalgo from OWASP in Costa Rica) know If you want a
>>> NodeJS front-end that runs with Jade Templates (with no or minimal
>>> Javascript)
>>>
>>>  That is what we spend our days coding in :)
>>>
>>>  Dinis
>>>
>>> On 28 May 2015 at 13:40, psiinon <psiinon at gmail.com> wrote:
>>>
>>>>   We certainly dont want to hand-craft a load of JS and cope with all
>>>> of the different browser variations ;)
>>>>  So yes, I expect we'll be using a JS framework.
>>>>  I've started investigating them, but its early days - this is one
>>>> we'll definitely be discussing on the ZAP Developer Group.
>>>>
>>>>  Cheers,
>>>>
>>>>  Simon
>>>>
>>>> On Thu, May 28, 2015 at 1:36 PM, johanna curiel curiel <
>>>> johanna.curiel at owasp.org> wrote:
>>>>
>>>>> Hi Simon
>>>>>
>>>>>
>>>>>  You mentioned you will use HTML5 , are you planning to use this in
>>>>> combination with any JavaScript frameworks or the use of JSP could be
>>>>> implemented?
>>>>>
>>>>>  regards
>>>>>
>>>>>  Johanna
>>>>>
>>>>>  On Thu, May 28, 2015 at 7:23 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>
>>>>>>    Leaders,
>>>>>>
>>>>>> Last week at Amsterdam I announced a new direction for ZAP - ZAP as a
>>>>>> Service (ZaaS).
>>>>>>  I've just published a blog post which gives a few more details:
>>>>>> http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html
>>>>>>
>>>>>>  I think this is a major development for ZAP, which is why I've
>>>>>> posted to this list ;)
>>>>>>
>>>>>>  Cheers,
>>>>>>
>>>>>>  Simon
>>>>>>
>>>>>> --
>>>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>>>
>>>>>>  _______________________________________________
>>>>>> OWASP-Leaders mailing list
>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>>>
>>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>>>>
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>   _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150602/75162ee7/attachment-0001.html>


More information about the OWASP-Leaders mailing list