[Owasp-leaders] ZAP as a Service

Jim Manico jim.manico at owasp.org
Sat May 30 03:54:30 UTC 2015


Whoa!

 > Assuming you will do a REST API, I'd strongly suggest you shoot for 
level 2 or ideally level 3 that Fowler writes about at:
http://martinfowler.com/articles/richardsonMaturityModel.html

What a great REST resource. It's very helpful in terms of education. 
Thanks for passing this along, Matt.

Looking to seeing ZaaS go live. :)

Aloha,
Jim




On 5/29/15 12:28 PM, Matt Tesauro wrote:
> > the backend can be 100% API based
>
> Which is awesome for those of us who want to automate and completely 
> skip the UI.
>
> Assuming you will do a REST API, I'd strongly suggest you shoot for 
> level 2 or ideally level 3 that Fowler writes about at:
> http://martinfowler.com/articles/richardsonMaturityModel.html
>
> It will make your (and your users) interaction with the API much nicer 
> from a programming perspective.
>
> Keep up the stellar ZAP work!
>
> --
> -- Matt Tesauro
> OWASP WTE Project Lead
> http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project
> http://AppSecLive.org - Community and Download site
> OWASP OpenStack Security Project Lead
> https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project
>
> On Fri, May 29, 2015 at 3:28 AM, Eoin Keary <eoin.keary at owasp.org 
> <mailto:eoin.keary at owasp.org>> wrote:
>
>     If you use angular the backend can be 100% API based which reduced
>     the work and also open up a rich API for headless mode.
>
>     Eoin Keary
>     BCC Risk Advisory - edgescan CTO
>     Gartner "notable vendor" MSSP MQ
>
>
>
>     On 29 May 2015, at 08:45, The Black Labrador
>     <mike.goodwin at owasp.org <mailto:mike.goodwin at owasp.org>> wrote:
>
>>     Angular 2 is a worry. All the signs are that migration from v1 is
>>     not going to be a high priority for them. Mobile first, then
>>     larger firm factors then migration...maybe.
>>
>>     Angular is great, but they will lose a lot of trust and users in
>>     my opinion.
>>
>>     Mike
>>     ------------------------------------------------------------------------
>>     From: Dinis Cruz <mailto:dinis.cruz at owasp.org>
>>     Sent: ‎28/‎05/‎2015 17:17
>>     To: Jim Manico <mailto:jim.manico at owasp.org>
>>     Cc: owasp-leaders at lists.owasp.org
>>     <mailto:owasp-leaders at lists.owasp.org>
>>     Subject: Re: [Owasp-leaders] ZAP as a Service
>>
>>     yeah Angular is great (we're using that too), it's a bit weird
>>     what is going on with angular 2.0, which opens up the game to
>>     other frameworks like React.js
>>
>>     And from a security point of view, as Jim mentioned Angular has a
>>     really good security story
>>
>>     Dinis
>>
>>     On 28 May 2015 at 16:27, Jim Manico <jim.manico at owasp.org
>>     <mailto:jim.manico at owasp.org>> wrote:
>>
>>         I personally recommend Angular templates. This is quickly
>>         becoming the defacto-standard for XSS resistant templating.
>>         It's one of the only popular context-aware auto-escaping
>>         templates, it has a built-in HTML sanitizer, and it offers an
>>         integrated CSP module.
>>
>>         If you have a greenfield project choice - go angular. Just
>>         make sure your developers are using the HTML sanitizer
>>         anytime they disable escaping for a certain field.
>>
>>         Aloha,
>>         Jim
>>
>>
>>
>>
>>
>>         On 5/28/15 4:38 PM, Dinis Cruz wrote:
>>>         Let me (or Michael Hidalgo from OWASP in Costa Rica) know If
>>>         you want a NodeJS front-end that runs with Jade Templates
>>>         (with no or minimal Javascript)
>>>
>>>         That is what we spend our days coding in :)
>>>
>>>         Dinis
>>>
>>>         On 28 May 2015 at 13:40, psiinon <psiinon at gmail.com
>>>         <mailto:psiinon at gmail.com>> wrote:
>>>
>>>             We certainly dont want to hand-craft a load of JS and
>>>             cope with all of the different browser variations ;)
>>>             So yes, I expect we'll be using a JS framework.
>>>             I've started investigating them, but its early days -
>>>             this is one we'll definitely be discussing on the ZAP
>>>             Developer Group.
>>>
>>>             Cheers,
>>>
>>>             Simon
>>>
>>>             On Thu, May 28, 2015 at 1:36 PM, johanna curiel curiel
>>>             <johanna.curiel at owasp.org
>>>             <mailto:johanna.curiel at owasp.org>> wrote:
>>>
>>>                 Hi Simon
>>>
>>>
>>>                 You mentioned you will use HTML5 , are you planning
>>>                 to use this in combination with any JavaScript
>>>                 frameworks or the use of JSP could be implemented?
>>>
>>>                 regards
>>>
>>>                 Johanna
>>>
>>>                 On Thu, May 28, 2015 at 7:23 AM, psiinon
>>>                 <psiinon at gmail.com <mailto:psiinon at gmail.com>> wrote:
>>>
>>>                     Leaders,
>>>
>>>                     Last week at Amsterdam I announced a new
>>>                     direction for ZAP - ZAP as a Service (ZaaS).
>>>                     I've just published a blog post which gives a
>>>                     few more details:
>>>                     http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html
>>>
>>>                     I think this is a major development for ZAP,
>>>                     which is why I've posted to this list ;)
>>>
>>>                     Cheers,
>>>
>>>                     Simon
>>>
>>>                     -- 
>>>                     OWASP ZAP <https://www.owasp.org/index.php/ZAP>
>>>                     Project leader
>>>
>>>                     _______________________________________________
>>>                     OWASP-Leaders mailing list
>>>                     OWASP-Leaders at lists.owasp.org
>>>                     <mailto:OWASP-Leaders at lists.owasp.org>
>>>                     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>>
>>>             -- 
>>>             OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project
>>>             leader
>>>
>>>             _______________________________________________
>>>             OWASP-Leaders mailing list
>>>             OWASP-Leaders at lists.owasp.org
>>>             <mailto:OWASP-Leaders at lists.owasp.org>
>>>             https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>>
>>>
>>>
>>>
>>>         _______________________________________________
>>>         OWASP-Leaders mailing list
>>>         OWASP-Leaders at lists.owasp.org  <mailto:OWASP-Leaders at lists.owasp.org>
>>>         https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>     _______________________________________________
>>     OWASP-Leaders mailing list
>>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>     _______________________________________________
>     OWASP-Leaders mailing list
>     OWASP-Leaders at lists.owasp.org <mailto:OWASP-Leaders at lists.owasp.org>
>     https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20150529/b6ade5ca/attachment-0001.html>


More information about the OWASP-Leaders mailing list