OWASP AppSec EU Amsterdam 2015

The OWASP Foundation http://www.owasp.org

ZAP 2.4.0 and beyond... Simon Bennetts OWASP ZAP Project Lead Mozilla Security Team [email protected]

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License.

What is ZAP? • • • • • • • • • •

An easy to use webapp pentest tool Completely free and open source OWASP Flagship project Ideal for beginners But also used by professionals Ideal for devs, esp. for automated security tests Included in all major security distributions ToolsWatch.org Top Security Tools of 2013/2014 On the ThoughtWorks Tech Radar (as of May) Not a silver bullet! 2

ZAP Principles •

Free, Open source



Involvement actively encouraged



Cross platform



Easy to use



Easy to install



Internationalized



Fully documented



Work well with other tools



Reuse well regarded components 3

Statistics • Released September 2010, fork of Paros • V 2.4.0 released in April 2015 • V 2.4.0 downloaded > 32K times • Translated into 30 languages • Over 130 translators • Mostly used by Professional Pentesters? • Paros code: ~20%

ZAP Code: ~80%

4

Open HUB Statistics •

Very High Activity

• The most active OWASP Project • 60 contributors, 31 active • 347 years of effort

Source: https://www.openhub.net/p/zaproxy 5

Some ZAP use cases • • • • • •

Point and shoot – the Quick Start tab Proxying via ZAP, and then scanning Manual pentesting Automated security regression tests Debugging Part of a larger security program e.g. ThreadFix, Minion 6

Version 2.4.0       

UI Changes Scan Dialogs Scan Policies Attack Mode

2.4.0

Advanced Fuzzer API Changes Lots of minor enhancements and bug fixes! 7

And some more new stuff  Alpha add-ons: • Access Control Testing • Sequence scanning • New scan rules

 Community Scripts

https://github.com/zaproxy/community-scripts

8

So whats next? 9

More of the same.. • • • • • •

2.4.0.1 Bugfix release “coming soon” New/improved active + passive scan rules New/improved add-ons Migration to GitHub Adoption of Maven/Gradle/?? ...

10

ZAP properties Database Data Structures Processes Deployment Users Roles Process Lifetime Access Licence

Local HSQLDB Db and in process One Single machine One One Hours Swing UI / API Apache V2 11

ZaaS ZAP as a Service

12

ZAP (desktop) properties Database Data Structures Processes Deployment Users Roles Access Application Lifetime Licence

Local HSQLDB Db and in memory One Single machine One One Swing UI / API Hours Apache V2 13

ZaaS properties Database Data Structures Processes Deployment Users Roles Process Lifetime Access Licence

Enterprise (eg MySQL) Db Multiple Distributed Multiple Multiple Five Nines capability Web UI / API Apache V2 14

ZaaS properties Database Data Structures Processes Deployment Users Roles Access Application Lifetime Licence

Enterprise (eg MySQL) Db Multiple Distributed Multiple Multiple Web UI / API Five nines capability Apache V2 15

ZaaS todo list • • • • • • • •

Introduce db independence layer Support MySQL Low memory option Multi-process option Support multiple users and roles Add scheduler Develop web UI Full security review 16

Questions? http://www.owasp.org/index.php/ZAP

Simon Bennetts - OWASP AppSec Research (AppSecEU) 2015

ZAP (desktop) properties. 13. Database. Data Structures. Processes. Deployment. Users. Roles. Access. Application Lifetime. Licence. Local HSQLDB. Db and ...
Download PDF
855KB Sizes 2 Downloads 196 Views
Report

Recommend Documents

Simon Bennetts - OWASP AppSec Research (AppSecEU) 2015
ZAP (desktop) properties. 13. Database. Data Structures. Processes. Deployment. Users. Roles. Access. Application Lifetime. Licence. Local HSQLDB. Db and ...
Simon Bennetts - OWASP Zed Attack Proxy.pdf
Page 2 of 14. The Introduction. • The statement. • You cannot build secure. web applications unless you. know how to attack them. • The problem. • For many ...
OWASP Poster.indd - GitHub
Page 1. alert(0);
NET Reverse Engineering - owasp
Exploiting ANY server / application vulnerability to execute commands. • Example application has a vulnerability that let us to access the file system.
OWASP Testing Guide v4.pdf
A Typical SDLC Testing Workflow. 22 - 24. 3. Web Application Security Testing. Introduction and Objectives. Testing Checklist. Information Gathering. Conduct ...
Unicode Smuggling or SQL Smuggling - owasp
>E.g. 9 digits for Id. >Email address. >Etc. ▫Can use Regular Expressions .... >Automatic translation. ▫Translation occurs if similar character exists. OWASP. 26.
owasp zap tutorial pdf
There was a problem previewing this document. Retrying... Download. Connect more apps... Try one of the apps below to open or edit this item. owasp zap ...
owasp code review guide pdf
Download now. Click here if your download doesn't start automatically. Page 1 of 1. owasp code review guide pdf. owasp code review guide pdf. Open. Extract.
owasp code review guide pdf
owasp code review guide pdf. owasp code review guide pdf. Open. Extract. Open with. Sign In. Main menu. There was a problem previewing this document.
Simon Critchley
Jun 20, 2006 - also invokes notions of “the democratic revolution” and “radical ..... 35 Although it has received too little attention from his readers, and although ...
simon-series-51a.pdf
Page 3 of 3. Page 3 of 3. simon-series-51a.pdf. simon-series-51a.pdf. Open. Extract. Open with. Sign In. Main menu. Displaying simon-series-51a.pdf. Page 1 of ...
Retromania - Simon Reynolds.pdf
Peas's maestro Will.i.am is also a pioneer of 90s recycling: the. non-80s parts of The Time sound like boshing techno-rave from. the early days of Berlin's Love ...
Writing for Research 2015.pdf
For the last twelve years, I have been running free face-to-face workshops on writing, in. various universities and conferences. Not the kind of workshop that instructs you how to. Deliver A Competitive Product & Target Top Journals. Almost the oppos
Global Crankshaft Industry 2015 Market Research Report.pdf ...
Page 2 of 6. Summary. Global Crankshaft Industry 2015 Research Report is a professional and depth research report on. Global Crankshaft industry. For overview analysis, the report introduces Crankshaft basic information including definition,. classif
simon the oaks.pdf
... simon and the oaks billskarsgård photo. Simon the oaks us movierights bought by the. filmarcade. Simon the oaks wallpaper 10029625 1280x1024 desktop.
Presentación - OWASP-FLISOL-2014.pdf
Paraguay. (EC-Council es conocido principalmente como un. organismo de certificación profesional en el área. de seguridad de la información. Su certificación. más conocida es el CEH-Certified Ethical Hacker,. entre otras). Page 3 of 18. Presenta
pdf-1830\simon-says-the-close-up-magic-of-simon-lovell ...
pdf-1830\simon-says-the-close-up-magic-of-simon-lovell-by-simon-lovell.pdf. pdf-1830\simon-says-the-close-up-magic-of-simon-lovell-by-simon-lovell.pdf.
Simon Mayer diary - American Jewish Archives
Urhile to wornung of the yep T Care, auk kos pavetlwg al dhe heels aydi mere ruuuzdikt, franceſeorted. 1 of the Day Ave A mando Mail ... ko ateu uw thu qauto ) Do the Peak kamers enfants can enak ik mao ent any lyvy ak the Manfrotto .... hit buchi i
Incomplete Databases: Missing Records and ... - Simon Razniewski
Consider as a driving example the management of school data in the province of. Bolzano, Italy, which ... can be resolved, when meta information about database completeness is present. In this paper, we define a ... soning about the completeness of q
Communication Systems by Simon Haykin.pdf
e the values s. file as “NETTO. o NCSexpert w. ead your CIC ... Page 3 of 838. Main menu. Displaying Communication Systems by Simon Haykin.pdf. Page 1 of ...