If you can't read please download the document

OWASP 2015 AppSec EU ZAP 2.4.0 and beyond

Embed Size (px)

Citation preview

1. The OWASP Foundation http://www.owasp.org Copyright The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. ZAP 2.4.0 and beyond... Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team [email protected] OWASP AppSec EU Amsterdam 2015 2. 2 What is ZAP? An easy to use webapp pentest tool Completely free and open source OWASP Flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Included in all major security distributions ToolsWatch.org Top Security Tools of 2013/2014 On the ThoughtWorks Tech Radar (as of May) Not a silver bullet! 3. 3 ZAP Principles Free, Open source Involvement actively encouraged Cross platform Easy to use Easy to install Internationalized Fully documented Work well with other tools Reuse well regarded components 4. 4 Statistics Released September 2010, fork of Paros V 2.4.0 released in April 2015 V 2.4.0 downloaded > 32K times Translated into 30 languages Over 130 translators Mostly used by Professional Pentesters? Paros code: ~20% ZAP Code: ~80% 5. 5 Open HUB Statistics Very High Activity The most active OWASP Project 60 contributors, 31 active 347 years of effort Source: https://www.openhub.net/p/zaproxy 6. Some ZAP use cases Point and shoot the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests Debugging Part of a larger security program e.g. ThreadFix, Minion 6 7. 7 Version 2.4.0 UI Changes Scan Dialogs Scan Policies Attack Mode Advanced Fuzzer API Changes Lots of minor enhancements and bug fixes! 2.4.0 8. 8 And some more new stuff Alpha add-ons: Access Control Testing Sequence scanning New scan rules Community Scripts https://github.com/zaproxy/community-scripts 9. So whats next? 9 10. More of the same.. 2.4.0.1 Bugfix release coming soon New/improved active + passive scan rules New/improved add-ons Migration to GitHub Adoption of Maven/Gradle/?? ... 10 11. ZaaS ZAP as a Service 12 12. ZAP (desktop) properties 13 Database Data Structures Processes Deployment Users Roles Access Application Lifetime Licence Local HSQLDB Db and in memory One Single machine One One Swing UI / API Hours Apache V2 13. ZaaS properties 15 Database Data Structures Processes Deployment Users Roles Access Application Lifetime Licence Enterprise (eg MySQL) Db Multiple Distributed Multiple Multiple Web UI / API Five nines capability Apache V2 14. ZaaS todo list Introduce db independence layer Support MySQL Low memory option Multi-process option Support multiple users and roles Add scheduler Develop web UI Full security review 16 15. Questions? http://www.owasp.org/index.php/ZAP


OWASP AppSec EU2016-Security Automation Using ZAP v1€¦ · Example&3:&Passive&scanning zap.pscan.disable_all_scanners(apikey =API_Key) zap.pscan.enable_scanners(ids=&10040,& apikey

OWASP AppSec EU2016-Security Automation Using ZAP v1€¦ · Example&3:&Passive&scanning zap.pscan.disable_all_scanners(apikey =API_Key) zap.pscan.enable_scanners(ids=&10040,& apikey

Documents
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts

AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts

Technology
AppSec Consulting Inc

AppSec Consulting Inc

Documents
Operation emmental appsec

Operation emmental appsec

Technology
5 5 APPSEC T AREN’T TRUE ODE GBOOK 2 3...But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS

5 5 APPSEC T AREN’T TRUE ODE GBOOK 2 3...But AppSec falls to software vendors. One single technology can secure all applications. 3 APPSEC FACTS THAT AREN’T TRUE 5 APPSEC FACTS

Documents
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond

OWASP 2015 AppSec EU ZAP 2.4.0 and beyond

Internet
Agile Appsec

Agile Appsec

Documents
Building AppSec Automation with python - DEF CON CON 25/DEF CON 25... · Building AppSec Automation with python ... Con!guring ZAP to run with Python ... DEF CON, DEFCON, Speeches,

Building AppSec Automation with python - DEF CON CON 25/DEF CON 25... · Building AppSec Automation with python ... Con!guring ZAP to run with Python ... DEF CON, DEFCON, Speeches,

Documents
Internet Of Things (IOT) InSecurity - OWASP...Internet Of Things (IOT) InSecurity Erez Metula Chairman & Founder, AppSec Labs ErezMetula@AppSec-Labs.com Israel Chorzevski CTO, AppSec

Internet Of Things (IOT) InSecurity - OWASP...Internet Of Things (IOT) InSecurity Erez Metula Chairman & Founder, AppSec Labs [email protected] Israel Chorzevski CTO, AppSec

Documents
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data

Technology
ZAP 2.4.0 and beyond2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-bennetts.pdf · • OWASP Flagship project • Ideal for beginners • But also used by professionals

ZAP 2.4.0 and beyond2015.appsec.eu/wp-content/uploads/2015/09/owasp-appseceu2015-bennetts.pdf · • OWASP Flagship project • Ideal for beginners • But also used by professionals

Documents
OWASP ZAP Turbo Talk - Black Hat · OWASP ZAP Turbo Talk Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team

OWASP ZAP Turbo Talk - Black Hat · OWASP ZAP Turbo Talk Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team

Documents
karaf manual-2.4.0

karaf manual-2.4.0

Documents
ZAP 2.4.0 and beyond - 2015.appsec.eu · Amsterdam 2015. 2 What is ZAP? ... • Manual pentesting

ZAP 2.4.0 and beyond - 2015.appsec.eu · Amsterdam 2015. 2 What is ZAP? ... • Manual pentesting

Documents
InternetBridge-NT 2.4.0 Global Guide.pdf

InternetBridge-NT 2.4.0 Global Guide.pdf

Documents
Zap Travel

Zap Travel

Travel
“Zip Zap”

“Zip Zap”

Documents
Zap! and Zap! Extra Brochure 2014

Zap! and Zap! Extra Brochure 2014

Documents
OWASP 2012 AppSec Dublin ZAP Intro

OWASP 2012 AppSec Dublin ZAP Intro

Technology
Innovation hall ZAP Spaces ZAP Project space ZAP Licences …

Innovation hall ZAP Spaces ZAP Project space ZAP Licences …

Documents
ZAP @FOSSASIA2015

ZAP @FOSSASIA2015

Presentations & Public Speaking
Appsec usa roberthansen

Appsec usa roberthansen

Technology
fileGo Reporting Chart Therapy and Individual The on then 3 min zap — -Zap button. that to 3 C on and an side ot Th. Zap nd on zap uto Zap top (12 zap top (5 Auto Zap tap Warms (5

fileGo Reporting Chart Therapy and Individual The on then 3 min zap — -Zap button. that to 3 C on and an side ot Th. Zap nd on zap uto Zap top (12 zap top (5 Auto Zap tap Warms (5

Documents
Zap! Electricity

Zap! Electricity

Documents
OWASP 2014 AppSec EU ZAP Advanced Features

OWASP 2014 AppSec EU ZAP Advanced Features

Technology
Dsp0004 2.4.0

Dsp0004 2.4.0

Economy & Finance
Zap Fatigue

Zap Fatigue

Documents
Taking AppSec to 11 - Meetupfiles.meetup.com/18411966/Taking AppSec to 11... · Taking AppSec to 11: AppSec Pipelines, DevOps, and Making Things Better OWASP San Antonio, April 2016

Taking AppSec to 11 - Meetupfiles.meetup.com/18411966/Taking AppSec to 11... · Taking AppSec to 11: AppSec Pipelines, DevOps, and Making Things Better OWASP San Antonio, April 2016

Documents
OWASP 2013 AppSec EU Hamburg - ZAP Innovations

OWASP 2013 AppSec EU Hamburg - ZAP Innovations

Technology
AppSec And Microservices

AppSec And Microservices

Technology