[Owasp-leaders] ZAP as a Service

jan.kopecky at owasp.org jan.kopecky at owasp.org
Tue Jun 9 11:28:02 UTC 2015


Hello Jim,


You are right, it is a bit outdated. But the latest info I got from Mario (during AppSecEU) is that project is not dead and he will do his best to update it as time allows.


What I personally found to be most useful is the list with general criteria. When you don't know whether the framework you want to use is “secure enough”  you can use the list provided by Mario as a basic checklist. For example the question whether a framework use CSP is IMHO valid despite year (2014, 2015, …).


So what I'm trying to say is although the project is a bit outdated it still has a value and should be checked when dealing with JS MVC frameworks..


Cheers,


Jan






Sent from Surface Pro





From: Jim Manico
Sent: ‎Thursday‎, ‎June‎ ‎4‎, ‎2015 ‎9‎:‎42‎ ‎PM
To: jan.kopecky at owasp.org, Matt Tesauro, Eoin Keary
Cc: owasp-leaders at lists.owasp.org




Jan,

This is largely 2012-2013 era research and many of these vectors have been fixed by the various JS framework authors.

Some updated research is needed in this area and be sure to keep your frameworks up to date! :)

Aloha,
Jim



On 6/2/15 1:41 PM, jan.kopecky at owasp.org wrote:



Hello all,




I believe most of you already know this, but just to be sure:




https://code.google.com/p/mustache-security/




Mario is responsible for this one. Very interesting reading when dealing with any JS MVC Framework.




Thank you,




Jan






Sent from Surface Pro





From: Jim Manico
Sent: ‎Saturday‎, ‎May‎ ‎30‎, ‎2015 ‎5‎:‎54‎ ‎AM
To: Matt Tesauro, Eoin Keary
Cc: owasp-leaders at lists.owasp.org




Whoa!

> Assuming you will do a REST API, I'd strongly suggest you shoot for level 2 or ideally level 3 that Fowler writes about at: 
http://martinfowler.com/articles/richardsonMaturityModel.html

What a great REST resource. It's very helpful in terms of education. Thanks for passing this along, Matt.

Looking to seeing ZaaS go live. :)

Aloha,
Jim






On 5/29/15 12:28 PM, Matt Tesauro wrote:



> the backend can be 100% API based 



Which is awesome for those of us who want to automate and completely skip the UI.




Assuming you will do a REST API, I'd strongly suggest you shoot for level 2 or ideally level 3 that Fowler writes about at:

http://martinfowler.com/articles/richardsonMaturityModel.html




It will make your (and your users) interaction with the API much nicer from a programming perspective.




Keep up the stellar ZAP work! 




--
-- Matt Tesauro
OWASP WTE Project Lead
http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
http://AppSecLive.org - Community and Download site 
OWASP OpenStack Security Project Lead 
https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project


On Fri, May 29, 2015 at 3:28 AM, Eoin Keary <eoin.keary at owasp.org> wrote:



If you use angular the backend can be 100% API based which reduced the work and also open up a rich API for headless mode.

Eoin Keary 
BCC Risk Advisory - edgescan CTO

Gartner "notable vendor" MSSP MQ










On 29 May 2015, at 08:45, The Black Labrador <mike.goodwin at owasp.org> wrote:






Angular 2 is a worry. All the signs are that migration from v1 is not going to be a high priority for them. Mobile first, then larger firm factors then migration...maybe.

Angular is great, but they will lose a lot of trust and users in my opinion.

Mike



From: Dinis Cruz
Sent: ‎28/‎05/‎2015 17:17
To: Jim Manico
Cc: owasp-leaders at lists.owasp.org
Subject: Re: [Owasp-leaders] ZAP as a Service



yeah Angular is great (we're using that too), it's a bit weird what is going on with angular 2.0, which opens up the game to other frameworks like React.js 



And from a security point of view, as Jim mentioned Angular has a really good security story




Dinis



On 28 May 2015 at 16:27, Jim Manico <jim.manico at owasp.org> wrote:


I personally recommend Angular templates. This is quickly becoming the defacto-standard for XSS resistant templating. It's one of the only popular context-aware auto-escaping templates, it has a built-in HTML sanitizer, and it offers an integrated CSP module.

If you have a greenfield project choice - go angular. Just make sure your developers are using the HTML sanitizer anytime they disable escaping for a certain field.

Aloha,
Jim 







On 5/28/15 4:38 PM, Dinis Cruz wrote:



Let me (or Michael Hidalgo from OWASP in Costa Rica) know If you want a NodeJS front-end that runs with Jade Templates (with no or minimal Javascript)  



That is what we spend our days coding in :)




Dinis



On 28 May 2015 at 13:40, psiinon <psiinon at gmail.com> wrote:






We certainly dont want to hand-craft a load of JS and cope with all of the different browser variations ;)

So yes, I expect we'll be using a JS framework.
I've started investigating them, but its early days - this is one we'll definitely be discussing on the ZAP Developer Group.



Cheers,

Simon





On Thu, May 28, 2015 at 1:36 PM, johanna curiel curiel <johanna.curiel at owasp.org> wrote:


Hi Simon 






You mentioned you will use HTML5 , are you planning to use this in combination with any JavaScript frameworks or the use of JSP could be implemented?




regards




Johanna





On Thu, May 28, 2015 at 7:23 AM, psiinon <psiinon at gmail.com> wrote:








Leaders,



Last week at Amsterdam I announced a new direction for ZAP - ZAP as a Service (ZaaS).

I've just published a blog post which gives a few more details: http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html


I think this is a major development for ZAP, which is why I've posted to this list ;)




Cheers,

Simon





-- 

OWASP ZAP Project leader


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





-- 

OWASP ZAP Project leader


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders


_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders





_______________________________________________
OWASP-Leaders mailing list
OWASP-Leaders at lists.owasp.org
https://lists.owasp.org/mailman/listinfo/owasp-leaders
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150609/9f8eae0c/attachment-0001.html>


More information about the OWASP-Leaders mailing list