OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
•Download as ODP, PDF•
11 likes•4,816 views
Slides from my OWASP AppSec EU talk on May 21st 2015 on ZAP 2.4.0 and beyond..
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Viewers also liked
Viewers also liked (20)
Similar to OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Similar to OWASP 2015 AppSec EU ZAP 2.4.0 and beyond.. (20)
More from Simon Bennetts
More from Simon Bennetts (9)
Recently uploaded
Recently uploaded (20)
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
- 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. ZAP 2.4.0 and beyond... Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com OWASP AppSec EU Amsterdam 2015
- 2. 2 What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • OWASP Flagship project • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Included in all major security distributions • ToolsWatch.org Top Security Tools of 2013/2014 • On the ThoughtWorks Tech Radar (as of May) • Not a silver bullet!
- 3. 3 ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components
- 4. 4 Statistics • Released September 2010, fork of Paros • V 2.4.0 released in April 2015 • V 2.4.0 downloaded > 32K times • Translated into 30 languages • Over 130 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80%
- 5. 5 Open HUB Statistics • Very High Activity • The most active OWASP Project • 60 contributors, 31 active • 347 years of effort Source: https://www.openhub.net/p/zaproxy
- 6. Some ZAP use cases • Point and shoot – the Quick Start tab • Proxying via ZAP, and then scanning • Manual pentesting • Automated security regression tests • Debugging • Part of a larger security program e.g. ThreadFix, Minion 6
- 7. 7 Version 2.4.0 • UI Changes • Scan Dialogs • Scan Policies • Attack Mode • Advanced Fuzzer • API Changes • Lots of minor enhancements and bug fixes! 2.4.0
- 8. 8 And some more new stuff • Alpha add-ons: • Access Control Testing • Sequence scanning • New scan rules • Community Scripts https://github.com/zaproxy/community-scripts
- 10. More of the same.. • 2.4.0.1 Bugfix release “coming soon” • New/improved active + passive scan rules • New/improved add-ons • Migration to GitHub • Adoption of Maven/Gradle/?? • ... 10
- 11. ZaaS ZAP as a Service 12
- 12. ZAP (desktop) properties 13 Database Data Structures Processes Deployment Users Roles Access Application Lifetime Licence Local HSQLDB Db and in memory One Single machine One One Swing UI / API Hours Apache V2
- 13. ZaaS properties 15 Database Data Structures Processes Deployment Users Roles Access Application Lifetime Licence Enterprise (eg MySQL) Db Multiple Distributed Multiple Multiple Web UI / API Five nines capability Apache V2
- 14. ZaaS todo list • Introduce db independence layer • Support MySQL • Low memory option • Multi-process option • Support multiple users and roles • Add scheduler • Develop web UI • Full security review 16