<div dir="ltr">OK, so this raises some wider issues, and some important questions for all of us:<br><br>1. Are there mature and well supported OWASP projects that you could use but dont?<br><br>2. Have you told the relevant project leader why you dont use their project and what they could do that would mean you could use it?<br><br>At BlackHat USA this year I was told that the majority of people who came to the OWASP stand said that they had heard about OWASP through ZAP.<br>For many people ZAP will be their first experience of OWASP. If its not a good experience then that impacts OWASP as a whole.<br>How can we make ZAP better for both new users and experienced security professionals?<br>All projects need feedback in order to grow and improve, and ZAP is no exception.<br><br>Simon<br><br><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 11, 2014 at 7:53 PM, Josh Sokol <span dir="ltr"><<a href="mailto:josh.sokol@owasp.org" target="_blank">josh.sokol@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Did you just call Simon's baby ugly?  I think you did.  That said, I have to agree with Jim.  In my training classes I use WebScarab as well for the same reasons.  The UI is just easier for a noob to get into, get data, and get out.  There are companies that specialize in UI enhancement suggestions.  Maybe it would be worth spending some of ZAP's project funds on something like that?<span class="HOEnZb"><font color="#888888"><br><br></font></span></div><span class="HOEnZb"><font color="#888888">~josh<br></font></span></div><div class="HOEnZb"><div class="h5"><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 11, 2014 at 1:29 PM, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_blank">jim.manico@owasp.org</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="auto"><div>Personally I still use WebScarab during training because it's much easier for new folk. </div><div><br></div><div>While Zap has an abundance of features that are awesome, the interception UI and edit screen seems a lot more user friendly in Webscarab, and when training, the only feature I use is interception. </div><div><br></div><div>So based on these experiences, I would surmise that new user adoption would pick up if the UI was a bit easier and more clear to use.</div><div><br></div><div>Aloha, <br><div>--</div><div>Jim Manico</div><div>@Manicode</div><div><a href="tel:%28808%29%20652-3805" value="+18086523805" target="_blank">(808) 652-3805</a></div></div><span><div><br>On Sep 11, 2014, at 1:20 PM, Mario Robles <<a href="mailto:mario.robles@owasp.org" target="_blank">mario.robles@owasp.org</a>> wrote:<br><br></div></span><blockquote type="cite"><div><span>
  
    
  
  
    <div>Thank you Simon, it's amazing the good
      work ZAP team is doing<br>
      <br>
      Tony I agree with you on this, I provide some Pentesting courses
      and I have to be honest, I use Burp as part of the testing
      framework during the courses, this is just my opinion but things
      like my previous question (other tools integration) it's something
      that can make people to move from other tools, if ZAP target
      trainers and convince them like Simon just did with me then
      trainers will start using it as part of their courses<br>
      <br>
      A very valid point for ZAP compared to Burp is that Burp free
      don't allow the user to save the state for being analyzed later
      and ZAP do that for free, merchandizing the advantages, features
      (like the ones I wasn't aware of) and coming improvements seems to
      be key<br>
      <br>
      side note, I must say, if ZAP would be able to import the findings
      from other tools like Burp, AppScan, WebInspect, FoD, Manual, etc
      with a possibility to edit findings, details, severities, etc and
      make a nice report, that's the tool I've been dreaming with for a
      long time, someone can say that ZAP it's not a repo like other
      tools out there for combining findings and I think that's exactly
      the reason why it should be included in a testing tool, having all
      findings from a Wpentest in one single tool where you can
      validate, build a PoC, grab a screenshot or remove False positives
      would be a dream come true<br>
      <br>
      Mario<br>
      <div>
        <table>
          <tbody>
            <tr>
              <td><br>
              </td>
              <td><br>
              </td>
            </tr>
          </tbody>
        </table>
      </div>
      On 11/09/2014 11:17 a.m., Tony Turner wrote:<br>
    </div>
    </span><div><div><blockquote type="cite">
      <div dir="ltr">Getting ZAP included in popular pentest and
        security testing courses such as what SANS delivers would be
        very beneficial. People take these classes using Burp Free, and
        then go back to work and buy Pro and keep using it. Why would
        they switch to ZAP when they are already getting what they need
        from Burp? We need to either get ZAP in front of people just
        learning the tools or provide sufficient justification for
        people to switch from what they are already doing. <input name="virtru-metadata" value="{"email-policy":{"state":"closed","expirationUnit":"days","disableCopyPaste":false,"disablePrint":false,"disableForwarding":false,"expires":false},"attachments":{}}" type="hidden">
        <div><br>
        </div>
        <div><br>
        </div>
      </div>
      <div class="gmail_extra"><br>
        <div class="gmail_quote">On Thu, Sep 11, 2014 at 1:06 PM,
          psiinon <span dir="ltr"><<a href="mailto:psiinon@gmail.com" target="_blank">psiinon@gmail.com</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
            <div dir="ltr">
              <div>We have a REST API and clients written in Java,
                Python, Node.js, PHP and Ruby: <a href="https://code.google.com/p/zaproxy/wiki/ApiDetails" target="_blank">https://code.google.com/p/zaproxy/wiki/ApiDetails</a>
                :)<br>
                <br>
              </div>
              <div>We also support all JSR 223 languages (including
                Jython) via the ZAP <a href="https://code.google.com/p/zaproxy/wiki/HelpAddonsScriptsScripts" target="_blank">Script Console</a>.<br>
              </div>
              <div><br>
              </div>
              <div>Any questions about using them then let me know or
                ask on the <a href="http://groups.google.com/group/zaproxy-develop" target="_blank">ZAP Developer group</a>.<br>
              </div>
              <div><br>
              </div>
              <div>Cheers,<br>
                <br>
              </div>
              Simon<br>
            </div>
            <div>
              <div>
                <div class="gmail_extra"><br>
                  <div class="gmail_quote">On Thu, Sep 11, 2014 at 5:42
                    PM, Mario Robles <span dir="ltr"><<a href="mailto:mario.robles@owasp.org" target="_blank">mario.robles@owasp.org</a>></span>
                    wrote:<br>
                    <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                      <div text="#000000" bgcolor="#FFFFFF">
                        <div>I would be very exited about having a
                          possibility of writing python tools that can
                          work with ZAP using some kind of integration
                          API (sorry if this already exists and if so
                          I'd like to know more about it)<br>
                          <br>
                          I'm a WPT tools writer and I like to work with
                          python (I'm sure many here do the same) so I
                          think this is a good opportunity for ZAP<br>
                          <br>
                          Back to the main question, here's my answer:
                          if ZAP become friendly with the frameworks
                          most of Pentesters use then ZAP will be loved
                          by many of them<span><font color="#888888"><br>
                              <br>
                              Mario</font></span>
                          <div>
                            <div><br>
                              <div>
                                <table>
                                  <tbody>
                                    <tr>
                                      <td><br>
                                      </td>
                                      <td><br>
                                      </td>
                                    </tr>
                                  </tbody>
                                </table>
                              </div>
                              On 11/09/2014 06:33 a.m., psiinon wrote:<br>
                            </div>
                          </div>
                        </div>
                        <div>
                          <div>
                            <blockquote type="cite">
                              <div dir="ltr">
                                <div>I'd also like to point out that I
                                  specifically asked what people thought
                                  would be the best way to increase ZAP
                                  usage NOT what would cause _you_ to
                                  use ZAP :)<br>
                                </div>
                                Do you really think that dropping java
                                and porting to Python would increase ZAP
                                takeup? ;)<br>
                              </div>
                              <div class="gmail_extra"><br>
                                <div class="gmail_quote">On Thu, Sep 11,
                                  2014 at 1:16 PM, psiinon <span dir="ltr"><<a href="mailto:psiinon@gmail.com" target="_blank">psiinon@gmail.com</a>></span>
                                  wrote:<br>
                                  <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                    <div dir="ltr">You're right, its not
                                      viable :)<br>
                                    </div>
                                    <div>
                                      <div>
                                        <div class="gmail_extra"><br>
                                          <div class="gmail_quote">On
                                            Thu, Sep 11, 2014 at 1:11
                                            PM, <span dir="ltr"><<a href="mailto:abbas.naderi@owasp.org" target="_blank">abbas.naderi@owasp.org</a>></span>
                                            wrote:<br>
                                            <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                              <div style="word-wrap:break-word">Personally
                                                the major reason I don’t
                                                like these tools is that
                                                they are Java based, and
                                                Java based apps are ugly
                                                and slow on OS X. If I
                                                led the project, I’d
                                                port to python or
                                                something else, but I
                                                know thats a very
                                                expensive decision and
                                                probably not viable.
                                                <div>-A</div>
                                                <div><br>
                                                  <div>
                                                    <blockquote type="cite"><span>
                                                        <div>On Sep 11,
                                                          2014, at 7:50
                                                          AM, Andrew
                                                          Muller <<a href="mailto:andrew.muller@owasp.org" target="_blank">andrew.muller@owasp.org</a>>

                                                          wrote:</div>
                                                        <br>
                                                      </span>
                                                      <div>
                                                        <div dir="ltr"><span>A
                                                          subtle
                                                          advertising
                                                          campaign could
                                                          work<br>
                                                          </span>
                                                          <div><br>
                                                          <span><pharoah
                                                          bender
                                                          endorses
                                                          ZAP.jpg></span><br>
                                                          <br>
                                                          ​<br>
                                                          </div>
                                                        </div>
                                                        <div>
                                                          <div>
                                                          <div class="gmail_extra"><br>
                                                          <div class="gmail_quote">On
                                                          Thu, Sep 11,
                                                          2014 at 8:59
                                                          PM, psiinon <span dir="ltr"><<a href="mailto:psiinon@gmail.com" target="_blank">psiinon@gmail.com</a>></span>
                                                          wrote:<br>
                                                          <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>Leaders,<br>
                                                          <br>
                                                          </div>
                                                          As you
                                                          hopefully
                                                          know, ZAP is
                                                          one of the
                                                          most
                                                          successful of
                                                          all of the
                                                          OWASP
                                                          projects.<br>
                                                          <br>
                                                          </div>
                                                          However I want
                                                          to
                                                          significantly
                                                          increase its
                                                          takeup, and
                                                          for that I'd
                                                          like your
                                                          advice and
                                                          guidance.<br>
                                                          <br>
                                                          </div>
                                                          <b>What do you
                                                          think are the
                                                          top 3 (or
                                                          more) things
                                                          we could do
                                                          increase ZAP
                                                          usage?</b><br>
                                                          <br>
                                                          </div>
                                                          I'm not just
                                                          asking about
                                                          new features
                                                          or technical
                                                          changes (but
                                                          please include
                                                          those if you
                                                          think they are
                                                          important),
                                                          but also
                                                          advertizing,
                                                          online
                                                          presence,
                                                          documentation,
                                                          tutorial
                                                          videos,
                                                          conference
                                                          talks, fluffy
                                                          toys etc etc.
                                                          <br>
                                                          Anything that
                                                          you think will
                                                          get more
                                                          developers and
                                                          security folk
                                                          using ZAP.<br>
                                                          <br>
                                                          </div>
                                                          <div>I was
                                                          going to start
                                                          a poll, but I
                                                          decided I
                                                          didnt want to
                                                          restrict or
                                                          unduly
                                                          influence your
                                                          replies, so
                                                          please "think
                                                          out of the
                                                          box" and other
                                                          such cliches
                                                          ;)<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          Feel free to
                                                          reply on this
                                                          thread or
                                                          directly to
                                                          me.<br>
                                                          <br>
                                                          </div>
                                                          Many thanks,<br>
                                                          <br>
                                                          </div>
                                                          Simon<span><font color="#888888"><br clear="all">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          -- <br>
                                                          <a href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a>
                                                          Project leader<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </font></span></div>
                                                          <br>
_______________________________________________<br>
                                                          OWASP-Leaders
                                                          mailing list<br>
                                                          <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                          <br>
                                                          </blockquote>
                                                          </div>
                                                          <br>
                                                          <br clear="all">
                                                          <br>
                                                          -- <br>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>____________________<br>
                                                          </div>
                                                          <b>Andrew
                                                          Muller</b><br>
                                                          </div>
                                                          Canberra OWASP
                                                          Chapter Leader<br>
                                                          </div>
                                                          OWASP Testing
                                                          Guide
                                                          Co-Leader<br>
                                                          </div>
                                                          </div>
_______________________________________________<br>
                                                          OWASP-Leaders
                                                          mailing list<br>
                                                          <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
                                                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                          </div>
                                                        </div>
                                                      </div>
                                                    </blockquote>
                                                  </div>
                                                  <br>
                                                </div>
                                              </div>
                                            </blockquote>
                                          </div>
                                          <br>
                                          <br clear="all">
                                          <br>
                                          -- <br>
                                          <a href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a>
                                          Project leader<br>
                                        </div>
                                      </div>
                                    </div>
                                  </blockquote>
                                </div>
                                <br>
                                <br clear="all">
                                <br>
                                -- <br>
                                <a href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a> Project
                                leader<br>
                              </div>
                              <br>
                              <fieldset></fieldset>
                              <br>
                              <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                            </blockquote>
                            <br>
                          </div>
                        </div>
                      </div>
                    </blockquote>
                  </div>
                  <br>
                  <br clear="all">
                  <br>
                  -- <br>
                  <a href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a> Project leader<br>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            OWASP-Leaders mailing list<br>
            <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
            <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
            <br>
          </blockquote>
        </div>
        <br>
        <br clear="all">
        <div><br>
        </div>
        -- <br>
        <font color="#888888">Tony Turner<br>
          OWASP Orlando Chapter Founder/Co-Leader<br>
          <a href="mailto:tony.turner@owasp.org" target="_blank">tony.turner@owasp.org</a></font>
        <div><a href="https://www.owasp.org/index.php/Orlando" target="_blank">https://www.owasp.org/index.php/Orlando</a>
        </div>
        <div><br>
        </div>
      </div>
    </blockquote>
    <br>
  

</div></div></div></blockquote><div><div><blockquote type="cite"><div><span>_______________________________________________</span><br><span>OWASP-Leaders mailing list</span><br><span><a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a></span><br><span><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br></div></blockquote></div></div></div>
<br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_blank">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br></div>
</div></div><br>_______________________________________________<br>
OWASP-Leaders mailing list<br>
<a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a><br>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_blank">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><a href="https://www.owasp.org/index.php/ZAP" target="_blank">OWASP ZAP</a> Project leader<br>
</div>