[Owasp-leaders] ZAP as a Service

Jim Manico jim.manico at owasp.org
Thu Jun 4 19:42:03 UTC 2015


Jan,

This is largely 2012-2013 era research and many of these vectors have 
been fixed by the various JS framework authors.

Some updated research is needed in this area and be sure to keep your 
frameworks up to date! :)

Aloha,
Jim


On 6/2/15 1:41 PM, jan.kopecky at owasp.org wrote:
> Hello all,
>
> I believe most of you already know this, but just to be sure:
>
> https://code.google.com/p/mustache-security/
>
> Mario is responsible for this one. Very interesting reading when 
> dealing with any JS MVC Framework.
>
> Thank you,
>
> Jan
>
> Sent from Surface Pro
>
> *From:* Jim Manico <mailto:jim.manico at owasp.org>
> *Sent:* ‎Saturday‎, ‎May‎ ‎30‎, ‎2015 ‎5‎:‎54‎ ‎AM
> *To:* Matt Tesauro <mailto:matt.tesauro at owasp.org>, Eoin Keary 
> <mailto:eoin.keary at owasp.org>
> *Cc:* owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>
>
> Whoa!
>
> > Assuming you will do a REST API, I'd strongly suggest you shoot for 
> level 2 or ideally level 3 that Fowler writes about at:
> http://martinfowler.com/articles/richardsonMaturityModel.html
>
> What a great REST resource. It's very helpful in terms of education. 
> Thanks for passing this along, Matt.
>
> Looking to seeing ZaaS go live. :)
>
> Aloha,
> Jim
>
>
>
>
> On 5/29/15 12:28 PM, Matt Tesauro wrote:
>
>     > the backend can be 100% API based
>
>     Which is awesome for those of us who want to automate and
>     completely skip the UI.
>
>     Assuming you will do a REST API, I'd strongly suggest you shoot
>     for level 2 or ideally level 3 that Fowler writes about at:
>     http://martinfowler.com/articles/richardsonMaturityModel.html
>
>     It will make your (and your users) interaction with the API much
>     nicer from a programming perspective.
>
>     Keep up the stellar ZAP work!
>
>     --
>     -- Matt Tesauro
>     OWASP WTE Project Lead
>     http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>     http://AppSecLive.org - Community and Download site
>     OWASP OpenStack Security Project Lead
>     https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>     On Fri, May 29, 2015 at 3:28 AM, Eoin Keary <eoin.keary at owasp.org
>     <mailto:eoin.keary at owasp.org>> wrote:
>
>         If you use angular the backend can be 100% API based which
>         reduced the work and also open up a rich API for headless mode.
>
>         Eoin Keary
>         BCC Risk Advisory - edgescan CTO
>         Gartner "notable vendor" MSSP MQ
>
>
>
>         On 29 May 2015, at 08:45, The Black Labrador
>         <mike.goodwin at owasp.org <mailto:mike.goodwin at owasp.org>> wrote:
>
>             Angular 2 is a worry. All the signs are that migration
>             from v1 is not going to be a high priority for them.
>             Mobile first, then larger firm factors then migration...maybe.
>
>             Angular is great, but they will lose a lot of trust and
>             users in my opinion.
>
>             Mike
>             ------------------------------------------------------------------------
>             From: Dinis Cruz <mailto:dinis.cruz at owasp.org>
>             Sent: ‎28/‎05/‎2015 17:17
>             To: Jim Manico <mailto:jim.manico at owasp.org>
>             Cc: owasp-leaders at lists.owasp.org
>             <mailto:owasp-leaders at lists.owasp.org>
>             Subject: Re: [Owasp-leaders] ZAP as a Service
>
>             yeah Angular is great (we're using that too), it's a bit
>             weird what is going on with angular 2.0, which opens up
>             the game to other frameworks like React.js
>
>             And from a security point of view, as Jim mentioned
>             Angular has a really good security story
>
>             Dinis
>
>             On 28 May 2015 at 16:27, Jim Manico <jim.manico at owasp.org
>             <mailto:jim.manico at owasp.org>> wrote:
>
>                 I personally recommend Angular templates. This is
>                 quickly becoming the defacto-standard for XSS
>                 resistant templating. It's one of the only popular
>                 context-aware auto-escaping templates, it has a
>                 built-in HTML sanitizer, and it offers an integrated
>                 CSP module.
>
>                 If you have a greenfield project choice - go angular.
>                 Just make sure your developers are using the HTML
>                 sanitizer anytime they disable escaping for a certain
>                 field.
>
>                 Aloha,
>                 Jim
>
>
>
>
>
>                 On 5/28/15 4:38 PM, Dinis Cruz wrote:
>
>                     Let me (or Michael Hidalgo from OWASP in Costa
>                     Rica) know If you want a NodeJS front-end that
>                     runs with Jade Templates (with no or minimal
>                     Javascript)
>
>                     That is what we spend our days coding in :)
>
>                     Dinis
>
>                     On 28 May 2015 at 13:40, psiinon
>                     <psiinon at gmail.com <mailto:psiinon at gmail.com>> wrote:
>
>                         We certainly dont want to hand-craft a load of
>                         JS and cope with all of the different browser
>                         variations ;)
>                         So yes, I expect we'll be using a JS framework.
>                         I've started investigating them, but its early
>                         days - this is one we'll definitely be
>                         discussing on the ZAP Developer Group.
>
>                         Cheers,
>
>                         Simon
>
>                         On Thu, May 28, 2015 at 1:36 PM, johanna
>                         curiel curiel <johanna.curiel at owasp.org
>                         <mailto:johanna.curiel at owasp.org>> wrote:
>
>                             Hi Simon
>
>
>                             You mentioned you will use HTML5 , are you
>                             planning to use this in combination with
>                             any JavaScript frameworks or the use of
>                             JSP could be implemented?
>
>                             regards
>
>                             Johanna
>
>                             On Thu, May 28, 2015 at 7:23 AM, psiinon
>                             <psiinon at gmail.com
>                             <mailto:psiinon at gmail.com>> wrote:
>
>                                 Leaders,
>
>                                 Last week at Amsterdam I announced a
>                                 new direction for ZAP - ZAP as a
>                                 Service (ZaaS).
>                                 I've just published a blog post which
>                                 gives a few more details:
>                                 http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html
>
>                                 I think this is a major development
>                                 for ZAP, which is why I've posted to
>                                 this list ;)
>
>                                 Cheers,
>
>                                 Simon
>
>                                 -- 
>                                 OWASP ZAP
>                                 <https://www.owasp.org/index.php/ZAP>
>                                 Project leader
>
>                                 _______________________________________________
>                                 OWASP-Leaders mailing list
>                                 OWASP-Leaders at lists.owasp.org
>                                 <mailto:OWASP-Leaders at lists.owasp.org>
>                                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>                         -- 
>                         OWASP ZAP
>                         <https://www.owasp.org/index.php/ZAP> Project
>                         leader
>
>                         _______________________________________________
>                         OWASP-Leaders mailing list
>                         OWASP-Leaders at lists.owasp.org
>                         <mailto:OWASP-Leaders at lists.owasp.org>
>                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>                     _______________________________________________
>                     OWASP-Leaders mailing list
>                     OWASP-Leaders at lists.owasp.org  <mailto:OWASP-Leaders at lists.owasp.org>
>                     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>             _______________________________________________
>             OWASP-Leaders mailing list
>             OWASP-Leaders at lists.owasp.org
>             <mailto:OWASP-Leaders at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         <mailto:OWASP-Leaders at lists.owasp.org>
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150604/717509d0/attachment-0001.html>


More information about the OWASP-Leaders mailing list