Projects/OWASP Zed Attack Proxy Project/Pages/Talks
2013 November 6: OWASP Baltimore Chapter Hands-on introduction to OWASP BWA and ZAP
This interactive session will provide an introduction to two OWASP Projects:
- Broken Web Application (BWA) project, which releases a free virtual machine running web applications with known security vulnerabilities.
- Zed Attack Proxy (ZAP) project, which produces a free tool for testing web applications.
The goal of the session is to get attendees started working with these projects and comfortable to continue using them for self-study if desired. The OWASP BWA VM includes a variety of training applications that are well suited for people at a variety of skill levels.
2013 November 7: OWASP Los Angeles Chapter Ben Walther: Whiz, Bang, ZAP! An introduction to OWASP's Zed Attack Proxy.
The OWASP Zed Attack Proxy (ZAP) is "an easy to use integrated penetration testing tool for finding vulnerabilities in web applications."
The technology is comparable to IBM AppScan and HP WebInspect - but free, open source and maintained by OWASP volunteers.
The project has seen a tremendous amount of development lately. Learn about the tool, what it can do for you, and optionally bring your laptop to follow along as we use it to test some (purposefully insecure) web applications.
2013 November 14: DEVOXX Antwerp David Tillemans: Security test automation in software development using open source tools
Writing secure software is better than plugging holes. A high level of automation is essential for building security into your software development lifecycle.
David Tillemans, application security expert at Smals (www.smals.be), will talk about some standard security checks and demonstrate the essential testing tools.
Findbugs and PMD are well know open source tools offering great security oriented features.
ZAProxy, a web application security scanner developed by OWASP (Open Web Application Security Project), is great for testing the security issues of the web frontend. It can be integrated in your test driven development lifecycle. The session will demonstrate the integration of ZAproxy into Maven using a plugin and how to perform automatic web security scans based on your Selenium tests.
2013 November 20: AppSec USA New York Simon Bennetts: ZAP Innovations
The Zed Attack Proxy (ZAP) is now one of the most popular OWASP projects.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen tester's toolbox.
This talk will focus on the latest changes to ZAP and the plans for it’s future.
Due to the growing number of people working on ZAP, and the fact that there are 5 ZAP related Google Summer of Code 2013 projects, the content of the talk will be announced closer to the conference date.
2013 November 21: AppSec USA New York Simon Bennetts: ZAP Hackathon
This session is a chance for people to learn how to work on ZAP from the ZAP Project Leader. ZAP is a community project, and as such participation is actively encouraged.
Simon will explain the numerous ways in which individuals and companies can contribute to ZAP. He will also explain how the code is structured and explain how any part of the project can be changed. Working on ZAP is a great way to learn more about web application security.
Being able to change the code means that you can add and change any features you want, either just for you own benefit or to contribute back to the community. There will be time set aside for hacking ZAP, with Simon on hand to answer any questions and give any guidance required.
This is a great opportunity to be part of the fastest growing and most active OWASP project.
During this session, Simon will:
- Explain how people can contribute to ZAP.
- Demonstrate how to set up a ZAP development environment.
- Explain ZAP code structure.
- Show people how to code scripts, active/passive scan rules, add-ons, core changes and improve the docs and localization.
- Let people hack the ZAP code and docs with full support and guidance.