Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..

3,760 views

Published on

Slides from my OWASP AppSec EU talk on May 21st 2015 on ZAP 2.4.0 and beyond..

Published in: Internet
  • Hey guys! Who wants to chat with me? More photos with me here 👉 http://www.bit.ly/katekoxx
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..

  1. 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. ZAP 2.4.0 and beyond... Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team psiinon@gmail.com OWASP AppSec EU Amsterdam 2015
  2. 2. 2 What is ZAP? • An easy to use webapp pentest tool • Completely free and open source • OWASP Flagship project • Ideal for beginners • But also used by professionals • Ideal for devs, esp. for automated security tests • Included in all major security distributions • ToolsWatch.org Top Security Tools of 2013/2014 • On the ThoughtWorks Tech Radar (as of May) • Not a silver bullet!
  3. 3. 3 ZAP Principles • Free, Open source • Involvement actively encouraged • Cross platform • Easy to use • Easy to install • Internationalized • Fully documented • Work well with other tools • Reuse well regarded components
  4. 4. 4 Statistics • Released September 2010, fork of Paros • V 2.4.0 released in April 2015 • V 2.4.0 downloaded > 32K times • Translated into 30 languages • Over 130 translators • Mostly used by Professional Pentesters? • Paros code: ~20% ZAP Code: ~80%
  5. 5. 5 Open HUB Statistics • Very High Activity • The most active OWASP Project • 60 contributors, 31 active • 347 years of effort Source: https://www.openhub.net/p/zaproxy
  6. 6. Some ZAP use cases • Point and shoot – the Quick Start tab • Proxying via ZAP, and then scanning • Manual pentesting • Automated security regression tests • Debugging • Part of a larger security program e.g. ThreadFix, Minion 6
  7. 7. 7 Version 2.4.0 • UI Changes • Scan Dialogs • Scan Policies • Attack Mode • Advanced Fuzzer • API Changes • Lots of minor enhancements and bug fixes! 2.4.0
  8. 8. 8 And some more new stuff • Alpha add-ons: • Access Control Testing • Sequence scanning • New scan rules • Community Scripts https://github.com/zaproxy/community-scripts
  9. 9. So whats next? 9
  10. 10. More of the same.. • 2.4.0.1 Bugfix release “coming soon” • New/improved active + passive scan rules • New/improved add-ons • Migration to GitHub • Adoption of Maven/Gradle/?? • ... 10
  11. 11. ZaaS ZAP as a Service 12
  12. 12. ZAP (desktop) properties 13 Database Data Structures Processes Deployment Users Roles Access Application Lifetime Licence Local HSQLDB Db and in memory One Single machine One One Swing UI / API Hours Apache V2
  13. 13. ZaaS properties 15 Database Data Structures Processes Deployment Users Roles Access Application Lifetime Licence Enterprise (eg MySQL) Db Multiple Distributed Multiple Multiple Web UI / API Five nines capability Apache V2
  14. 14. ZaaS todo list • Introduce db independence layer • Support MySQL • Low memory option • Multi-process option • Support multiple users and roles • Add scheduler • Develop web UI • Full security review 16
  15. 15. Questions? http://www.owasp.org/index.php/ZAP

×