[Owasp-leaders] ZAP as a Service

Jim Manico jim.manico at owasp.org
Tue Jun 9 18:52:36 UTC 2015


Jan,

This is very reasonable research, do not get me wrong. But almost all of 
these frameworks have gone through multiple updates and revisions since 
this doc was release, many of them specific to this body of work. Any 
research on fast-moving frameworks like the JS community needs a lot of 
continuity and updating to be relevant. :)

For example you mentioned CSP. I took at look at the first framework on 
the list - VueJS - and it is marked as not having CSP support. However, 
VueJS CSP support existed in Oct 2014. 
https://twitter.com/vuejs/status/517425225710190592

So yea, that all of this research with a grain of salt unless you verify 
it yourself.

Fair?

With respect,
Jim


On 6/9/15 1:28 AM, jan.kopecky at owasp.org wrote:
> Hello Jim,
>
> You are right, it is a bit outdated. But the latest info I got from 
> Mario (during AppSecEU) is that project is not dead and he will do his 
> best to update it as time allows.
>
> What I personally found to be most useful is the list with general 
> criteria. When you don't know whether the framework you want to use 
> is “secure enough”  you can use the list provided by Mario as a basic 
> checklist. For example the question whether a framework use CSP is 
> IMHO valid despite year (2014, 2015, …).
>
> So what I'm trying to say is although the project is a bit outdated it 
> still has a value and should be checked when dealing with JS MVC 
> frameworks..
>
> Cheers,
>
> Jan
>
> Sent from Surface Pro
>
> *From:* Jim Manico <mailto:jim.manico at owasp.org>
> *Sent:* ‎Thursday‎, ‎June‎ ‎4‎, ‎2015 ‎9‎:‎42‎ ‎PM
> *To:* jan.kopecky at owasp.org <mailto:jan.kopecky at owasp.org>, Matt 
> Tesauro <mailto:matt.tesauro at owasp.org>, Eoin Keary 
> <mailto:eoin.keary at owasp.org>
> *Cc:* owasp-leaders at lists.owasp.org <mailto:owasp-leaders at lists.owasp.org>
>
> Jan,
>
> This is largely 2012-2013 era research and many of these vectors have 
> been fixed by the various JS framework authors.
>
> Some updated research is needed in this area and be sure to keep your 
> frameworks up to date! :)
>
> Aloha,
> Jim
>
>
> On 6/2/15 1:41 PM, jan.kopecky at owasp.org wrote:
>
>     Hello all,
>
>     I believe most of you already know this, but just to be sure:
>
>     https://code.google.com/p/mustache-security/
>
>     Mario is responsible for this one. Very interesting reading when
>     dealing with any JS MVC Framework.
>
>     Thank you,
>
>     Jan
>
>     Sent from Surface Pro
>
>     *From:* Jim Manico <mailto:jim.manico at owasp.org>
>     *Sent:* ‎Saturday‎, ‎May‎ ‎30‎, ‎2015 ‎5‎:‎54‎ ‎AM
>     *To:* Matt Tesauro <mailto:matt.tesauro at owasp.org>, Eoin Keary
>     <mailto:eoin.keary at owasp.org>
>     *Cc:* owasp-leaders at lists.owasp.org
>     <mailto:owasp-leaders at lists.owasp.org>
>
>     Whoa!
>
>     > Assuming you will do a REST API, I'd strongly suggest you shoot
>     for level 2 or ideally level 3 that Fowler writes about at:
>     http://martinfowler.com/articles/richardsonMaturityModel.html
>
>     What a great REST resource. It's very helpful in terms of
>     education. Thanks for passing this along, Matt.
>
>     Looking to seeing ZaaS go live. :)
>
>     Aloha,
>     Jim
>
>
>
>
>     On 5/29/15 12:28 PM, Matt Tesauro wrote:
>
>         > the backend can be 100% API based
>
>         Which is awesome for those of us who want to automate and
>         completely skip the UI.
>
>         Assuming you will do a REST API, I'd strongly suggest you
>         shoot for level 2 or ideally level 3 that Fowler writes about at:
>         http://martinfowler.com/articles/richardsonMaturityModel.html
>
>         It will make your (and your users) interaction with the API
>         much nicer from a programming perspective.
>
>         Keep up the stellar ZAP work!
>
>         --
>         -- Matt Tesauro
>         OWASP WTE Project Lead
>         http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
>         http://AppSecLive.org - Community and Download site
>         OWASP OpenStack Security Project Lead
>         https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
>         On Fri, May 29, 2015 at 3:28 AM, Eoin Keary
>         <eoin.keary at owasp.org <mailto:eoin.keary at owasp.org>> wrote:
>
>             If you use angular the backend can be 100% API based which
>             reduced the work and also open up a rich API for headless
>             mode.
>
>             Eoin Keary
>             BCC Risk Advisory - edgescan CTO
>             Gartner "notable vendor" MSSP MQ
>
>
>
>             On 29 May 2015, at 08:45, The Black Labrador
>             <mike.goodwin at owasp.org <mailto:mike.goodwin at owasp.org>>
>             wrote:
>
>                 Angular 2 is a worry. All the signs are that migration
>                 from v1 is not going to be a high priority for them.
>                 Mobile first, then larger firm factors then
>                 migration...maybe.
>
>                 Angular is great, but they will lose a lot of trust
>                 and users in my opinion.
>
>                 Mike
>                 ------------------------------------------------------------------------
>                 From: Dinis Cruz <mailto:dinis.cruz at owasp.org>
>                 Sent: ‎28/‎05/‎2015 17:17
>                 To: Jim Manico <mailto:jim.manico at owasp.org>
>                 Cc: owasp-leaders at lists.owasp.org
>                 <mailto:owasp-leaders at lists.owasp.org>
>                 Subject: Re: [Owasp-leaders] ZAP as a Service
>
>                 yeah Angular is great (we're using that too), it's a
>                 bit weird what is going on with angular 2.0, which
>                 opens up the game to other frameworks like React.js
>
>                 And from a security point of view, as Jim mentioned
>                 Angular has a really good security story
>
>                 Dinis
>
>                 On 28 May 2015 at 16:27, Jim Manico
>                 <jim.manico at owasp.org <mailto:jim.manico at owasp.org>>
>                 wrote:
>
>                     I personally recommend Angular templates. This is
>                     quickly becoming the defacto-standard for XSS
>                     resistant templating. It's one of the only popular
>                     context-aware auto-escaping templates, it has a
>                     built-in HTML sanitizer, and it offers an
>                     integrated CSP module.
>
>                     If you have a greenfield project choice - go
>                     angular. Just make sure your developers are using
>                     the HTML sanitizer anytime they disable escaping
>                     for a certain field.
>
>                     Aloha,
>                     Jim
>
>
>
>
>
>                     On 5/28/15 4:38 PM, Dinis Cruz wrote:
>
>                         Let me (or Michael Hidalgo from OWASP in Costa
>                         Rica) know If you want a NodeJS front-end that
>                         runs with Jade Templates (with no or minimal
>                         Javascript)
>
>                         That is what we spend our days coding in :)
>
>                         Dinis
>
>                         On 28 May 2015 at 13:40, psiinon
>                         <psiinon at gmail.com <mailto:psiinon at gmail.com>>
>                         wrote:
>
>                             We certainly dont want to hand-craft a
>                             load of JS and cope with all of the
>                             different browser variations ;)
>                             So yes, I expect we'll be using a JS
>                             framework.
>                             I've started investigating them, but its
>                             early days - this is one we'll definitely
>                             be discussing on the ZAP Developer Group.
>
>                             Cheers,
>
>                             Simon
>
>                             On Thu, May 28, 2015 at 1:36 PM, johanna
>                             curiel curiel <johanna.curiel at owasp.org
>                             <mailto:johanna.curiel at owasp.org>> wrote:
>
>                                 Hi Simon
>
>
>                                 You mentioned you will use HTML5 , are
>                                 you planning to use this in
>                                 combination with any JavaScript
>                                 frameworks or the use of JSP could be
>                                 implemented?
>
>                                 regards
>
>                                 Johanna
>
>                                 On Thu, May 28, 2015 at 7:23 AM,
>                                 psiinon <psiinon at gmail.com
>                                 <mailto:psiinon at gmail.com>> wrote:
>
>                                     Leaders,
>
>                                     Last week at Amsterdam I announced
>                                     a new direction for ZAP - ZAP as a
>                                     Service (ZaaS).
>                                     I've just published a blog post
>                                     which gives a few more details:
>                                     http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html
>
>                                     I think this is a major
>                                     development for ZAP, which is why
>                                     I've posted to this list ;)
>
>                                     Cheers,
>
>                                     Simon
>
>                                     -- 
>                                     OWASP ZAP
>                                     <https://www.owasp.org/index.php/ZAP>
>                                     Project leader
>
>                                     _______________________________________________
>                                     OWASP-Leaders mailing list
>                                     OWASP-Leaders at lists.owasp.org
>                                     <mailto:OWASP-Leaders at lists.owasp.org>
>                                     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>
>                             -- 
>                             OWASP ZAP
>                             <https://www.owasp.org/index.php/ZAP>
>                             Project leader
>
>                             _______________________________________________
>                             OWASP-Leaders mailing list
>                             OWASP-Leaders at lists.owasp.org
>                             <mailto:OWASP-Leaders at lists.owasp.org>
>                             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>                         _______________________________________________
>                         OWASP-Leaders mailing list
>                         OWASP-Leaders at lists.owasp.org  <mailto:OWASP-Leaders at lists.owasp.org>
>                         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>                 _______________________________________________
>                 OWASP-Leaders mailing list
>                 OWASP-Leaders at lists.owasp.org
>                 <mailto:OWASP-Leaders at lists.owasp.org>
>                 https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>             _______________________________________________
>             OWASP-Leaders mailing list
>             OWASP-Leaders at lists.owasp.org
>             <mailto:OWASP-Leaders at lists.owasp.org>
>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
>         _______________________________________________
>         OWASP-Leaders mailing list
>         OWASP-Leaders at lists.owasp.org
>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150609/bfc4397f/attachment-0001.html>


More information about the OWASP-Leaders mailing list