[Owasp-leaders] ZAP as a Service

Eoin Keary eoin.keary at owasp.org
Thu Jun 4 19:53:57 UTC 2015


+1
Indeed many of the vectors are old but nevertheless interesting in terms of why they were effective. 

Eoin Keary
BCC Risk Advisory - edgescan CTO
Gartner "notable vendor" MSSP MQ



> On 4 Jun 2015, at 20:42, Jim Manico <jim.manico at owasp.org> wrote:
> 
> Jan,
> 
> This is largely 2012-2013 era research and many of these vectors have been fixed by the various JS framework authors.
> 
> Some updated research is needed in this area and be sure to keep your frameworks up to date! :)
> 
> Aloha,
> Jim
> 
> 
>> On 6/2/15 1:41 PM, jan.kopecky at owasp.org wrote:
>> Hello all,
>> 
>> I believe most of you already know this, but just to be sure:
>> 
>> https://code.google.com/p/mustache-security/
>> 
>> Mario is responsible for this one. Very interesting reading when dealing with any JS MVC Framework.
>> 
>> Thank you,
>> 
>> Jan
>> 
>> Sent from Surface Pro
>> 
>> From: Jim Manico
>> Sent: ‎Saturday‎, ‎May‎ ‎30‎, ‎2015 ‎5‎:‎54‎ ‎AM
>> To: Matt Tesauro, Eoin Keary
>> Cc: owasp-leaders at lists.owasp.org
>> 
>> Whoa!
>> 
>> > Assuming you will do a REST API, I'd strongly suggest you shoot for level 2 or ideally level 3 that Fowler writes about at:
>> http://martinfowler.com/articles/richardsonMaturityModel.html
>> 
>> What a great REST resource. It's very helpful in terms of education. Thanks for passing this along, Matt.
>> 
>> Looking to seeing ZaaS go live. :)
>> 
>> Aloha,
>> Jim
>> 
>> 
>> 
>> 
>> On 5/29/15 12:28 PM, Matt Tesauro wrote:
>> > the backend can be 100% API based
>> 
>> Which is awesome for those of us who want to automate and completely skip the UI.
>> 
>> Assuming you will do a REST API, I'd strongly suggest you shoot for level 2 or ideally level 3 that Fowler writes about at:
>> http://martinfowler.com/articles/richardsonMaturityModel.html
>> 
>> It will make your (and your users) interaction with the API much nicer from a programming perspective.
>> 
>> Keep up the stellar ZAP work! 
>> 
>> --
>> -- Matt Tesauro
>> OWASP WTE Project Lead
>> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>> http://AppSecLive.org - Community and Download site
>> OWASP OpenStack Security Project Lead
>> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>> 
>>> On Fri, May 29, 2015 at 3:28 AM, Eoin Keary <eoin.keary at owasp.org> wrote:
>>> If you use angular the backend can be 100% API based which reduced the work and also open up a rich API for headless mode.
>>> 
>>> Eoin Keary
>>> BCC Risk Advisory - edgescan CTO
>>> Gartner "notable vendor" MSSP MQ
>>> 
>>> 
>>> 
>>> On 29 May 2015, at 08:45, The Black Labrador <mike.goodwin at owasp.org> wrote:
>>> 
>>> Angular 2 is a worry. All the signs are that migration from v1 is not going to be a high priority for them. Mobile first, then larger firm factors then migration...maybe.
>>> 
>>> Angular is great, but they will lose a lot of trust and users in my opinion.
>>> 
>>> Mike
>>> From: Dinis Cruz
>>> Sent: ‎28/‎05/‎2015 17:17
>>> To: Jim Manico
>>> Cc: owasp-leaders at lists.owasp.org
>>> Subject: Re: [Owasp-leaders] ZAP as a Service
>>> 
>>> yeah Angular is great (we're using that too), it's a bit weird what is going on with angular 2.0, which opens up the game to other frameworks like React.js
>>> 
>>> And from a security point of view, as Jim mentioned Angular has a really good security story
>>> 
>>> Dinis
>>> 
>>>> On 28 May 2015 at 16:27, Jim Manico <jim.manico at owasp.org> wrote:
>>>> I personally recommend Angular templates. This is quickly becoming the defacto-standard for XSS resistant templating. It's one of the only popular context-aware auto-escaping templates, it has a built-in HTML sanitizer, and it offers an integrated CSP module.
>>>> 
>>>> If you have a greenfield project choice - go angular. Just make sure your developers are using the HTML sanitizer anytime they disable escaping for a certain field.
>>>> 
>>>> Aloha,
>>>> Jim
>>>> 
>>>> 
>>>> 
>>>> 
>>>> 
>>>> On 5/28/15 4:38 PM, Dinis Cruz wrote:
>>>> Let me (or Michael Hidalgo from OWASP in Costa Rica) know If you want a NodeJS front-end that runs with Jade Templates (with no or minimal Javascript) 
>>>> 
>>>> That is what we spend our days coding in :)
>>>> 
>>>> Dinis
>>>> 
>>>>> On 28 May 2015 at 13:40, psiinon <psiinon at gmail.com> wrote:
>>>>> We certainly dont want to hand-craft a load of JS and cope with all of the different browser variations ;)
>>>>> So yes, I expect we'll be using a JS framework.
>>>>> I've started investigating them, but its early days - this is one we'll definitely be discussing on the ZAP Developer Group.
>>>>> 
>>>>> Cheers,
>>>>> 
>>>>> Simon
>>>>> 
>>>>> On Thu, May 28, 2015 at 1:36 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:
>>>>>> Hi Simon
>>>>>> 
>>>>>> 
>>>>>> You mentioned you will use HTML5 , are you planning to use this in combination with any JavaScript frameworks or the use of JSP could be implemented?
>>>>>> 
>>>>>> regards
>>>>>> 
>>>>>> Johanna
>>>>>> 
>>>>>> On Thu, May 28, 2015 at 7:23 AM, psiinon <psiinon at gmail.com> wrote:
>>>>>>> Leaders,
>>>>>>> 
>>>>>>> Last week at Amsterdam I announced a new direction for ZAP - ZAP as a Service (ZaaS).
>>>>>>> I've just published a blog post which gives a few more details: http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html
>>>>>>> 
>>>>>>> I think this is a major development for ZAP, which is why I've posted to this list ;)
>>>>>>> 
>>>>>>> Cheers,
>>>>>>> 
>>>>>>> Simon
>>>>>>> 
>>>>>>> -- 
>>>>>>> OWASP ZAP Project leader
>>>>>>> 
>>>>>>> _______________________________________________
>>>>>>> OWASP-Leaders mailing list
>>>>>>> OWASP-Leaders at lists.owasp.org
>>>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>>> 
>>>>> 
>>>>> 
>>>>> -- 
>>>>> OWASP ZAP Project leader
>>>>> 
>>>>> _______________________________________________
>>>>> OWASP-Leaders mailing list
>>>>> OWASP-Leaders at lists.owasp.org
>>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>> 
>>>> 
>>>> 
>>>> _______________________________________________
>>>> OWASP-Leaders mailing list
>>>> OWASP-Leaders at lists.owasp.org
>>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>> 
>>> _______________________________________________
>>> OWASP-Leaders mailing list
>>> OWASP-Leaders at lists.owasp.org
>>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>> 
>> 
>> 
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
> 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150604/17eb3733/attachment-0001.html>


More information about the OWASP-Leaders mailing list