<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body dir="auto"><div></div><div>Hi Jan,</div><div><br></div><div>Thank you for sending out this link - definitely a great resource. </div><div><br></div><div>Jerry</div><div><br><div>--<div>Jerry Hoff</div><div><a href="mailto:jerry@owasp.com">jerry@owasp.com</a></div><div>@jerryhoff</div></div>On Jun 2, 2015, at 16:58, "<a href="mailto:jan.kopecky@owasp.org">jan.kopecky@owasp.org</a>" <<a href="mailto:jan.kopecky@owasp.org">jan.kopecky@owasp.org</a>> wrote:<br><br></div><blockquote type="cite"><div>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8"><meta name="generator" content="Windows Mail 17.5.9600.20856">
<style data-externalstyle="true"><!--
p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph {
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
}
p.MsoNormal, li.MsoNormal, div.MsoNormal {
margin:0in;
margin-bottom:.0001pt;
}
p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst, 
p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle, 
p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast {
margin-top:0in;
margin-right:0in;
margin-bottom:0in;
margin-left:.5in;
margin-bottom:.0001pt;
line-height:115%;
}
--></style>

<div data-externalstyle="false" dir="ltr" style="font-family: 'Calibri', 'Segoe UI', 'Meiryo', 'Microsoft YaHei UI', 'Microsoft JhengHei UI', 'Malgun Gothic', 'sans-serif';font-size:12pt;"><div>Hello all,</div><div><br></div><div>I believe most of you already know this, but just to be sure:</div><div><br></div><div><a href="https://code.google.com/p/mustache-security/" target="_parent">https://code.google.com/p/mustache-security/</a></div><div><br></div><div>Mario is responsible for this one. Very interesting reading when dealing with any JS MVC Framework.</div><div><br></div><div>Thank you,</div><div><br></div><div>Jan<br></div><div data-signatureblock="true"><div><br></div><div>Sent from Surface Pro</div><div><br></div></div><div style="padding-top: 5px; border-top-color: rgb(229, 229, 229); border-top-width: 1px; border-top-style: solid;"><div><font face=" 'Calibri', 'Segoe UI', 'Meiryo', 'Microsoft YaHei UI', 'Microsoft JhengHei UI', 'Malgun Gothic', 'sans-serif'" style="line-height: 15pt; letter-spacing: 0.02em; font-family: "Calibri", "Segoe UI", "Meiryo", "Microsoft YaHei UI", "Microsoft JhengHei UI", "Malgun Gothic", "sans-serif"; font-size: 12pt;"><b>From:</b> <a href="mailto:jim.manico@owasp.org" target="_parent">Jim Manico</a><br><b>Sent:</b> ‎Saturday‎, ‎May‎ ‎30‎, ‎2015 ‎5‎:‎54‎ ‎AM<br><b>To:</b> <a href="mailto:matt.tesauro@owasp.org" target="_parent">Matt Tesauro</a>, <a href="mailto:eoin.keary@owasp.org" target="_parent">Eoin Keary</a><br><b>Cc:</b> <a href="mailto:owasp-leaders@lists.owasp.org" target="_parent">owasp-leaders@lists.owasp.org</a></font></div></div><div><br></div><div dir="">
    Whoa!<br>
    <br>
    > <span style="font-size: 12.8px;">Assuming you will
      do a REST API, I'd strongly suggest you shoot for level 2 or
      ideally level 3 that Fowler writes about at:</span>
    <div><span style="font-size: 12.8px;"><a href="http://martinfowler.com/articles/richardsonMaturityModel.html" target="_parent">http://martinfowler.com/articles/richardsonMaturityModel.html</a><br>
        <br>
        What a great REST resource. It's very helpful in terms of
        education. Thanks for passing this along, Matt.<br>
        <br>
        Looking to seeing ZaaS go live. :)<br>
        <br>
        Aloha,<br>
        Jim<br>
        <br>
        <br>
        <br>
      </span></div>
    <br>
    <div class="moz-cite-prefix">On 5/29/15 12:28 PM, Matt Tesauro
      wrote:<br>
    </div>
    <blockquote style="margin-top: 0px; margin-bottom: 0px;" cite="mid:CALKUk+NiQU_T9JLB4n9-X7fotRQuYbqkHYg2eHuZRav+u0tO6Q@mail.gmail.com">
      <div dir="ltr">> <span style="font-size: 12.8px;">the
          backend can be 100% API based</span>
        <div><span style="font-size: 12.8px;"><br>
          </span></div>
        <div><span style="font-size: 12.8px;">Which is awesome
            for those of us who want to automate and completely skip the
            UI.</span></div>
        <div><span style="font-size: 12.8px;"><br>
          </span></div>
        <div><span style="font-size: 12.8px;">Assuming you
            will do a REST API, I'd strongly suggest you shoot for level
            2 or ideally level 3 that Fowler writes about at:</span></div>
        <div><span style="font-size: 12.8px;"><a href="http://martinfowler.com/articles/richardsonMaturityModel.html" target="_parent">http://martinfowler.com/articles/richardsonMaturityModel.html</a></span></div>
        <div><span style="font-size: 12.8px;"><br>
          </span></div>
        <div><span style="font-size: 12.8px;">It will make
            your (and your users) interaction with the API much nicer
            from a programming perspective.</span></div>
        <div><span style="font-size: 12.8px;"><br>
          </span></div>
        <div><span style="font-size: 12.8px;">Keep up the
            stellar ZAP work! </span></div>
      </div>
      <div class="gmail_extra"><br clear="all">
        <div>
          <div class="gmail_signature">--<br>
            -- Matt Tesauro<br>
            OWASP WTE Project Lead<br>
            <a href="http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project" target="_parent">http://www.owasp.org/index.php/Category:OWASP_Live_CD_Project</a><br>
            <a href="http://AppSecLive.org" target="_parent">http://AppSecLive.org</a> - Community and
            Download site
            <div>OWASP OpenStack Security Project Lead
              <div><a href="https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project" target="_parent">https://www.owasp.org/index.php/OWASP_OpenStack_Security_Project</a></div>
            </div>
          </div>
        </div>
        <br>
        <div class="gmail_quote">On Fri, May 29, 2015 at 3:28 AM, Eoin
          Keary <span dir="ltr"><<a href="mailto:eoin.keary@owasp.org" target="_parent">eoin.keary@owasp.org</a>></span>
          wrote:<br>
          <blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
            <div dir="auto">
              <div>If you use angular the backend can be 100% API based
                which reduced the work and also open up a rich API for
                headless mode.<span class="HOEnZb"><font color="#888888"><br>
                    <br>
                    Eoin Keary
                    <div>BCC Risk Advisory - <span style="font-size: 13pt;">edgescan </span><span style="font-size: 13pt;">CTO</span></div>
                    <div><span style="font-size: 13pt;">Gartner "notable
                        vendor" MSSP MQ</span></div>
                    <div><span style="font-size: 13pt;"><br>
                      </span></div>
                    <div><br>
                    </div>
                  </font></span></div>
              <div>
                <div class="h5">
                  <div><br>
                    On 29 May 2015, at 08:45, The Black Labrador <<a href="mailto:mike.goodwin@owasp.org" target="_parent">mike.goodwin@owasp.org</a>>
                    wrote:<br>
                    <br>
                  </div>
                  <blockquote style="margin-top: 0px; margin-bottom: 0px;">
                    <div>
                      <div>
                        <div style="font-family: Calibri,sans-serif; font-size: 11pt;">Angular
                          2 is a worry. All the signs are that migration
                          from v1 is not going to be a high priority for
                          them. Mobile first, then larger firm factors
                          then migration...maybe.<br>
                          <br>
                          Angular is great, but they will lose a lot of
                          trust and users in my opinion.<br>
                          <br>
                          Mike</div>
                      </div>
                      <div dir="ltr">
                        <hr><span style="font-family: Calibri,sans-serif; font-size: 11pt; font-weight: bold;">From:
                        </span><span style="font-family: Calibri,sans-serif; font-size: 11pt;"><a href="mailto:dinis.cruz@owasp.org" target="_parent">Dinis Cruz</a></span><br>
                        <span style="font-family: Calibri,sans-serif; font-size: 11pt; font-weight: bold;">Sent:
                        </span><span style="font-family: Calibri,sans-serif; font-size: 11pt;">‎28/‎05/‎2015
                          17:17</span><br>
                        <span style="font-family: Calibri,sans-serif; font-size: 11pt; font-weight: bold;">To:
                        </span><span style="font-family: Calibri,sans-serif; font-size: 11pt;"><a href="mailto:jim.manico@owasp.org" target="_parent">Jim Manico</a></span><br>
                        <span style="font-family: Calibri,sans-serif; font-size: 11pt; font-weight: bold;">Cc:
                        </span><span style="font-family: Calibri,sans-serif; font-size: 11pt;"><a href="mailto:owasp-leaders@lists.owasp.org" target="_parent">owasp-leaders@lists.owasp.org</a></span><br>
                        <span style="font-family: Calibri,sans-serif; font-size: 11pt; font-weight: bold;">Subject:
                        </span><span style="font-family: Calibri,sans-serif; font-size: 11pt;">Re:
                          [Owasp-leaders] ZAP as a Service</span><br>
                        <br>
                      </div>
                      <div dir="ltr">yeah Angular is great (we're using
                        that too), it's a bit weird what is going on
                        with angular 2.0, which opens up the game to
                        other frameworks like React.js
                        <div><br>
                        </div>
                        <div>And from a security point of view, as Jim
                          mentioned Angular has a really good security
                          story</div>
                        <div><br>
                        </div>
                        <div>Dinis</div>
                      </div>
                      <div class="gmail_extra"><br>
                        <div class="gmail_quote">On 28 May 2015 at
                          16:27, Jim Manico <span dir="ltr"><<a href="mailto:jim.manico@owasp.org" target="_parent">jim.manico@owasp.org</a>></span>
                          wrote:<br>
                          <blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
                            <div> I
                              personally recommend Angular templates.
                              This is quickly becoming the
                              defacto-standard for XSS resistant
                              templating. It's one of the only popular
                              context-aware auto-escaping templates, it
                              has a built-in HTML sanitizer, and it
                              offers an integrated CSP module.<br>
                              <br>
                              If you have a greenfield project choice -
                              go angular. Just make sure your developers
                              are using the HTML sanitizer anytime they
                              disable escaping for a certain field.<br>
                              <br>
                              Aloha,<br>
                              Jim
                              <div>
                                <div><br>
                                  <br>
                                  <br>
                                  <br>
                                  <br>
                                  <div>On 5/28/15 4:38 PM, Dinis Cruz
                                    wrote:<br>
                                  </div>
                                  <blockquote style="margin-top: 0px; margin-bottom: 0px;">
                                    <div dir="ltr">Let me (or Michael
                                      Hidalgo from OWASP in Costa Rica)
                                      know If you want a NodeJS
                                      front-end that runs with Jade
                                      Templates (with no or minimal
                                      Javascript) 
                                      <div><br>
                                      </div>
                                      <div>That is what we spend our
                                        days coding in :)</div>
                                      <div><br>
                                      </div>
                                      <div>Dinis</div>
                                    </div>
                                    <div class="gmail_extra"><br>
                                      <div class="gmail_quote">On 28 May
                                        2015 at 13:40, psiinon <span dir="ltr"><<a href="mailto:psiinon@gmail.com" target="_parent">psiinon@gmail.com</a>></span>
                                        wrote:<br>
                                        <blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
                                          <div dir="ltr">
                                            <div>
                                              <div>
                                                <div>
                                                  <div>We certainly dont
                                                    want to hand-craft a
                                                    load of JS and cope
                                                    with all of the
                                                    different browser
                                                    variations ;)<br>
                                                  </div>
                                                  So yes, I expect we'll
                                                  be using a JS
                                                  framework.<br>
                                                </div>
                                                I've started
                                                investigating them, but
                                                its early days - this is
                                                one we'll definitely be
                                                discussing on the ZAP
                                                Developer Group.<br>
                                              </div>
                                              <div><br>
                                              </div>
                                              Cheers,<br>
                                              <br>
                                            </div>
                                            Simon<br>
                                          </div>
                                          <div>
                                            <div>
                                              <div class="gmail_extra"><br>
                                                <div class="gmail_quote">On
                                                  Thu, May 28, 2015 at
                                                  1:36 PM, johanna
                                                  curiel curiel <span dir="ltr"><<a href="mailto:johanna.curiel@owasp.org" target="_parent">johanna.curiel@owasp.org</a>></span>
                                                  wrote:<br>
                                                  <blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
                                                    <div dir="ltr">Hi
                                                      Simon
                                                      <div><br>
                                                      </div>
                                                      <div><br>
                                                      </div>
                                                      <div>You mentioned
                                                        you will use
                                                        HTML5 , are you
                                                        planning to use
                                                        this in
                                                        combination with
                                                        any JavaScript
                                                        frameworks or
                                                        the use of JSP
                                                        could be
                                                        implemented?</div>
                                                      <div><br>
                                                      </div>
                                                      <div>regards</div>
                                                      <span><font color="#888888">
                                                          <div><br>
                                                          </div>
                                                          <div>Johanna</div>
                                                        </font></span></div>
                                                    <div class="gmail_extra"><br>
                                                      <div class="gmail_quote">
                                                        <div>
                                                          <div>On Thu,
                                                          May 28, 2015
                                                          at 7:23 AM,
                                                          psiinon <span dir="ltr"><<a href="mailto:psiinon@gmail.com" target="_parent">psiinon@gmail.com</a>></span>
                                                          wrote:<br>
                                                          </div>
                                                        </div>
                                                        <blockquote class="gmail_quote" style="margin: 0px 0px 0px 0.8ex; padding-left: 1ex; border-left-color: rgb(204, 204, 204); border-left-width: 1px; border-left-style: solid;">
                                                          <div>
                                                          <div>
                                                          <div dir="ltr">
                                                          <div>
                                                          <div>
                                                          <div>Leaders,<br>
                                                          </div>
                                                          <div><br>
                                                          Last week at
                                                          Amsterdam I
                                                          announced a
                                                          new direction
                                                          for ZAP - ZAP
                                                          as a Service
                                                          (ZaaS).<br>
                                                          </div>
                                                          I've just
                                                          published a
                                                          blog post
                                                          which gives a
                                                          few more
                                                          details: <a href="http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html" target="_parent">http://zaproxy.blogspot.no/2015/05/zap-as-service-zaas.html</a><br>
                                                          <br>
                                                          </div>
                                                          <div>I think
                                                          this is a
                                                          major
                                                          development
                                                          for ZAP, which
                                                          is why I've
                                                          posted to this
                                                          list ;)<br>
                                                          </div>
                                                          <div><br>
                                                          </div>
                                                          Cheers,<br>
                                                          <br>
                                                          </div>
                                                          Simon<span><font color="#888888"><br clear="all">
                                                          <div>
                                                          <div>
                                                          <div>
                                                          <div><br>
                                                          -- <br>
                                                          <div><a href="https://www.owasp.org/index.php/ZAP" target="_parent">OWASP ZAP</a>
                                                          Project leader<br>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </div>
                                                          </font></span></div>
                                                          <br>
                                                          </div>
                                                          </div>
                                                          <span>_______________________________________________<br>
                                                          OWASP-Leaders
                                                          mailing list<br>
                                                          <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
                                                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                                          <br>
                                                          </span></blockquote>
                                                      </div>
                                                      <br>
                                                    </div>
                                                  </blockquote>
                                                </div>
                                                <br>
                                                <br clear="all">
                                                <br>
                                                -- <br>
                                                <div><a href="https://www.owasp.org/index.php/ZAP" target="_parent">OWASP ZAP</a>
                                                  Project leader<br>
                                                </div>
                                              </div>
                                            </div>
                                          </div>
                                          <br>
_______________________________________________<br>
                                          OWASP-Leaders mailing list<br>
                                          <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
                                          <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
                                          <br>
                                        </blockquote>
                                      </div>
                                      <br>
                                    </div>
                                    <br>
                                    <fieldset></fieldset>
                                    <br>
                                    <pre>_______________________________________________
OWASP-Leaders mailing list
<a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a>
<a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
                                  </blockquote>
                                  <br>
                                </div>
                              </div>
                            </div>
                          </blockquote>
                        </div>
                        <br>
                      </div>
                    </div>
                  </blockquote>
                  <blockquote style="margin-top: 0px; margin-bottom: 0px;">
                    <div><span>_______________________________________________</span><br>
                      <span>OWASP-Leaders mailing list</span><br>
                      <span><a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a></span><br>
                      <span><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br>
                    </div>
                  </blockquote>
                </div>
              </div>
            </div>
            <br>
            _______________________________________________<br>
            OWASP-Leaders mailing list<br>
            <a href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a><br>
            <a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a><br>
            <br>
          </blockquote>
        </div>
        <br>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre>_______________________________________________
OWASP-Leaders mailing list
<a class="moz-txt-link-abbreviated" href="mailto:OWASP-Leaders@lists.owasp.org" target="_parent">OWASP-Leaders@lists.owasp.org</a>
<a class="moz-txt-link-freetext" href="https://lists.owasp.org/mailman/listinfo/owasp-leaders" target="_parent">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a>
</pre>
    </blockquote>
    <br>
  

</div></div>


</div></blockquote><blockquote type="cite"><div><span>_______________________________________________</span><br><span>OWASP-Leaders mailing list</span><br><span><a href="mailto:OWASP-Leaders@lists.owasp.org">OWASP-Leaders@lists.owasp.org</a></span><br><span><a href="https://lists.owasp.org/mailman/listinfo/owasp-leaders">https://lists.owasp.org/mailman/listinfo/owasp-leaders</a></span><br></div></blockquote></body></html>