SlideShare a Scribd company logo

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalore 2nd meet up

Download as ODP, PDF
G
gmaran23

The document introduces OWASP ZAP, an open-source web application security testing tool designed for developers, emphasizing its ease of use and the importance of integrating security throughout the development lifecycle. It discusses the common security challenges faced by developers and highlights the benefits of using ZAP for proactive security testing and vulnerability management. The conclusion encourages developers to incorporate security tools, such as ZAP, into their workflows for better application security.

Software
Related topics:
Security Testing
1 of 22
Downloaded 35 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Dot Net Bangalore Bangalore 21 Feb 2015 Security Testing for Developers using OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor gmaran23@gmail.com Watch the screen recording of this presentation at https://vimeo.com/120481276
2 Overview • Why you should use ZAP • Introduction • Demo – Quick Scan • ZAP Use cases • ZAP API – Demo • ZAP Script – Demo • ZAP Automation - Demo
3 The problems • Most developers know very little about security • Most companies have very few application security folks • External consultants cost $$$$$ • Security testing is done late in the application development lifecycle (it at all is done)
4 Part of the Solution • Use a security tool like ZAP in development  • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
5 What is ZAP? •An easy to use webapp pentest tool •Completely free and open source •Ideal for beginners •But also used by professionals •Ideal for devs, esp. for automated security tests •Becoming a framework for advanced testing •Included in all major security distributions •ToolsWatch.org Top Security Tool of 2013 / 2014 •Not a silver bullet!
6 ZAP Principles •Free, Open source (always) •Involvement actively encouraged •Cross platform (write once, run anywhere) •Easy to use (point and shoot) •Easy to install (unzip & run) •Internationalized (speaks 20+ languages) •Fully documented (publish a book) •Work well with other tools •Reuse well regarded components (JBroFuzz, fuzzdb, DirBuster, CrawlJax, SQLMap?)
7 Ohloh Statistics •Very High Activity •The most active OWASP Project •29 active contributors •278 years of effort • • • • •Source: http://www.ohloh.net/p/zaproxy
8 Why use ZAP? •Any application exposed to the internet will be attacked •Who will find the vulnerabilities? •You? •A security researcher •The bad guys •Finding and fixing bugs early is the key •Attacking apps makes you a better developer •
9 Point and Click Scan - Demo
10 Face/off with John Travolta and Nicolas Cage
11 Security Regression Testing Well, let me watch you here!
12 Security Regression Testing Well, let me watch you here!
13 ZAP API demo Headless attack!
14 ZAP Scripting
15 The Main Features All the essentials for web application testing •Intercepting Proxy •Active and Passive Scanners •Traditional and Ajax Spiders •WebSockets support •Forced Browsing (using OWASP DirBuster code) •Fuzzing (using fuzzdb & OWASP JBroFuzz) •Online Add-ons Marketplace
16 The Additional Features • Auto tagging • Port scanner • Session comparison • Invoke external apps • API + Headless mode • Dynamic SSL Certificates • Anti CSRF token handling •
17 The Developer Features • Quick start • Intercepting proxy • Web client monitoring • WebSockets support • Standard/Protected/Safe • API + Headless mode • Java, Python… API clients • Anti CSRF token handling •
ZAP 2.4.0 Splash Screen Unused tabs hidden Scan dialogs with advanced options Attack modes Advanced fuzzing Sequence scanning Access control testing
ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
ZAP – Get Involved https://code.google.com/p/zaproxy/wiki/GetInvolve
Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
Any Questions? http://www.owasp.org/index.php/ZAP

More Related Content

ODP
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
ODP
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
PDF
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
PDF
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
ODP
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
ODP
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
ODP
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
ODP
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
gmaran23
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
gmaran23
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
gmaran23
 
OWASP 2013 EU Tour Amsterdam ZAP Intro
Simon Bennetts
 
Automating OWASP ZAP - DevCSecCon talk
Simon Bennetts
 
OWASP 2012 AppSec Dublin ZAP Intro
Simon Bennetts
 
OWASP 2013 Limerick - ZAP: Whats even newer
Simon Bennetts
 

What's hot (20)

PDF
Owasp zap
ColdFusionConference
 
ODP
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
PPTX
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
ODP
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
ODP
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
ODP
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
ODP
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
ODP
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
ODP
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
ODP
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
PDF
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
PDF
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
ODP
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
PPTX
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
PPTX
Security Testing - Zap It
Manjyot Singh
 
ODP
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
PPTX
ZAP @FOSSASIA2015
Sumanth Damarla
 
ODP
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
PPTX
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
PPTX
Zap vs burp
Tomasz Fajks
 
Owasp zap
ColdFusionConference
 
2014 ZAP Workshop 1: Getting Started
Simon Bennetts
 
Devouring Security Insufficient data validation risks Cross Site Scripting
gmaran23
 
JoinSEC 2013 London - ZAP Intro
Simon Bennetts
 
BlackHat 2014 OWASP ZAP Turbo Talk
Simon Bennetts
 
BSides Manchester 2014 ZAP Advanced Features
Simon Bennetts
 
OWASP 2014 AppSec EU ZAP Advanced Features
Simon Bennetts
 
JavaOne 2014 Security Testing for Developers using OWASP ZAP
Simon Bennetts
 
OWASP 2013 APPSEC USA Talk - OWASP ZAP
Simon Bennetts
 
2014 ZAP Workshop 2: Contexts and Fuzzing
Simon Bennetts
 
Zed Attack Proxy (ZAP)
JAINAM KAPADIYA
 
Using the Zed Attack Proxy as a Web App testing tool
David Sweigert
 
OWASP 2015 AppSec EU ZAP 2.4.0 and beyond..
Simon Bennetts
 
Learn to pen-test with OWASP ZAP
Paul Ionescu
 
Security Testing - Zap It
Manjyot Singh
 
AllDayDevOps ZAP automation in CI
Simon Bennetts
 
ZAP @FOSSASIA2015
Sumanth Damarla
 
OWASP 2013 APPSEC USA ZAP Hackathon
Simon Bennetts
 
OWASP Zed Attack Proxy
Fadi Abdulwahab
 
Zap vs burp
Tomasz Fajks
 
Ad

Similar to Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalore 2nd meet up (20)

PPT
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
PPTX
Security testing using zap
Confiz Limited
 
PPTX
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
PPT
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
PDF
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
ODP
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Tabăra de Testare
 
PDF
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
PPTX
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
PDF
Automating OWASP Tests in your CI/CD
rkadayam
 
PPTX
The OWASP Zed Attack Proxy
Aditya Gupta
 
PPTX
AppSec DC 2019 ASVS 4.0 Final.pptx
TuynNguyn819213
 
PPTX
AppSec DC 2019 ASVS 4.0 Final.pptx
Josh Grossman
 
ODP
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
ODP
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
PPTX
An Introduction to ZAP by Checkmarx - Official Version
Simon Bennetts
 
PPT
App Assessments Reloaded
Ernest Mueller
 
PDF
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
ODP
Simon Bennetts - Automating ZAP
DevSecCon
 
PDF
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
PPTX
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
AppSec EU 2011 - An Introduction to ZAP by Simon Bennetts
Magno Logan
 
Security testing using zap
Confiz Limited
 
10 Useful Testing Tools for Open Source Projects @ TuxCon 2015
Peter Sabev
 
Automating security test using Selenium and OWASP ZAP - Practical DevSecOps
Mohammed A. Imran
 
DAST in CI/CD pipelines using Selenium & OWASP ZAP
srini0x00
 
Zed Attack Proxy (ZAP) Quick Intro - TdT@Cluj #20
Tabăra de Testare
 
we45 DEFCON Workshop - Building AppSec Automation with Python
Abhay Bhargav
 
[Wroclaw #5] OWASP Projects: beyond Top 10
OWASP
 
Automating OWASP Tests in your CI/CD
rkadayam
 
The OWASP Zed Attack Proxy
Aditya Gupta
 
AppSec DC 2019 ASVS 4.0 Final.pptx
TuynNguyn819213
 
AppSec DC 2019 ASVS 4.0 Final.pptx
Josh Grossman
 
OWASP 2013 AppSec EU Hamburg - ZAP Innovations
Simon Bennetts
 
2017 Codemotion OWASP ZAP in CI/CD
Simon Bennetts
 
An Introduction to ZAP by Checkmarx - Official Version
Simon Bennetts
 
App Assessments Reloaded
Ernest Mueller
 
Silent web app testing by example - BerlinSides 2011
Abraham Aranguren
 
Simon Bennetts - Automating ZAP
DevSecCon
 
AppSec & OWASP Top 10 Primer
ThreatReel Podcast
 
Zed attack proxy [ What is ZAP(Zed Attack Proxy)? ]
raj upadhyay
 
Ad

More from gmaran23 (12)

PDF
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
PPTX
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
PDF
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
PDF
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
PDF
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
PPTX
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
PPTX
What Can I Learn From You?
gmaran23
 
PPTX
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
PPTX
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
PPTX
Six steps for securing offshore development
gmaran23
 
PPTX
Devouring Security XML Attack surface and Defences
gmaran23
 
PPT
Devouring Security Sqli Exploitation and Prevention
gmaran23
 
First Software Security Netherlands Meet Up - Delft - 18 May 2017
gmaran23
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
gmaran23
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
gmaran23
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
gmaran23
 
Performance Appraisals in Agile Environment Nagesh Sharma
gmaran23
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
gmaran23
 
What Can I Learn From You?
gmaran23
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
gmaran23
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
gmaran23
 
Six steps for securing offshore development
gmaran23
 
Devouring Security XML Attack surface and Defences
gmaran23
 
Devouring Security Sqli Exploitation and Prevention
gmaran23
 

Recently uploaded (20)

PPTX
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
PPTX
Materi_Pemrograman_Komputer-Looping.pptx
RanuFajar1
 
PDF
Understanding NFT Marketplace Development_ Trends and Innovations.pdf
oliverethanrobin
 
PPTX
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
PDF
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
PPTX
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
PDF
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
PPTX
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
PDF
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
PPTX
Mini project ppt template for panimalar Engineering college
ashrafarif507
 
PDF
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
PPT
Introduction Database Management System for Course Database
ReinertYosua
 
PDF
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
PPTX
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
PPTX
CRUISE TICKETING SYSTEM | CRUISE RESERVATION SOFTWARE
philipnathen82
 
PPTX
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
PDF
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
PDF
5 Lead Qualification Frameworks Every Sales Team Should Use
CRMLeaf
 
PDF
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
PPTX
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 
ManageIQ - Sprint 268 Review - Slide Deck
ManageIQ
 
Materi_Pemrograman_Komputer-Looping.pptx
RanuFajar1
 
Understanding NFT Marketplace Development_ Trends and Innovations.pdf
oliverethanrobin
 
Essential Infomation Tech presentation.pptx
pradeepjava2016
 
Flood Susceptibility Mapping Using Image-Based 2D-CNN Deep Learnin. Overview ...
lawrenceomai2
 
Lecture 3: Operating Systems Introduction to Computer Hardware Systems
hci7se
 
SAP S4 Hana Brochure 3 (PTS SYSTEMS AND SOLUTIONS)
pts464036
 
Oracle E-Business Suite: A Comprehensive Guide for Modern Enterprises
Conacent Consulting
 
Understanding Forklifts - TECH EHS Solution
TECH EHS Solution
 
Mini project ppt template for panimalar Engineering college
ashrafarif507
 
T3DD25 TYPO3 Content Blocks - Deep Dive by André Kraus
Andre Kraus
 
Introduction Database Management System for Course Database
ReinertYosua
 
Raksha Bandhan Grocery Pricing Trends in India 2025.pdf
Actowiz Solustions
 
CHAPTER 12 - CYBER SECURITY AND FUTURE SKILLS (1) (1).pptx
AnujKumar530915
 
CRUISE TICKETING SYSTEM | CRUISE RESERVATION SOFTWARE
philipnathen82
 
Agentic AI : A Practical Guide. Undersating, Implementing and Scaling Autono...
IT IDOL Technologies
 
Claude Code: Everyone is a 10x Developer - A Comprehensive AI-Powered CLI Tool
William Chong
 
5 Lead Qualification Frameworks Every Sales Team Should Use
CRMLeaf
 
Why TechBuilder is the Future of Pickup and Delivery App Development (1).pdf
TechBuilder
 
VVF-Customer-Presentation2025-Ver1.9.pptx
blackmambaettijean
 

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalore 2nd meet up

  • 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Dot Net Bangalore Bangalore 21 Feb 2015 Security Testing for Developers using OWASP ZAP The OWASP Zed Attack Proxy Marudhamaran Gunasekaran Zap Contributor [email protected] Watch the screen recording of this presentation at https://vimeo.com/120481276
  • 2. 2 Overview • Why you should use ZAP • Introduction • Demo – Quick Scan • ZAP Use cases • ZAP API – Demo • ZAP Script – Demo • ZAP Automation - Demo
  • 3. 3 The problems • Most developers know very little about security • Most companies have very few application security folks • External consultants cost $$$$$ • Security testing is done late in the application development lifecycle (it at all is done)
  • 4. 4 Part of the Solution • Use a security tool like ZAP in development  • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
  • 5. 5 What is ZAP? •An easy to use webapp pentest tool •Completely free and open source •Ideal for beginners •But also used by professionals •Ideal for devs, esp. for automated security tests •Becoming a framework for advanced testing •Included in all major security distributions •ToolsWatch.org Top Security Tool of 2013 / 2014 •Not a silver bullet!
  • 6. 6 ZAP Principles •Free, Open source (always) •Involvement actively encouraged •Cross platform (write once, run anywhere) •Easy to use (point and shoot) •Easy to install (unzip & run) •Internationalized (speaks 20+ languages) •Fully documented (publish a book) •Work well with other tools •Reuse well regarded components (JBroFuzz, fuzzdb, DirBuster, CrawlJax, SQLMap?)
  • 7. 7 Ohloh Statistics •Very High Activity •The most active OWASP Project •29 active contributors •278 years of effort • • • • •Source: http://www.ohloh.net/p/zaproxy
  • 8. 8 Why use ZAP? •Any application exposed to the internet will be attacked •Who will find the vulnerabilities? •You? •A security researcher •The bad guys •Finding and fixing bugs early is the key •Attacking apps makes you a better developer •
  • 9. 9 Point and Click Scan - Demo
  • 10. 10 Face/off with John Travolta and Nicolas Cage
  • 15. 15 The Main Features All the essentials for web application testing •Intercepting Proxy •Active and Passive Scanners •Traditional and Ajax Spiders •WebSockets support •Forced Browsing (using OWASP DirBuster code) •Fuzzing (using fuzzdb & OWASP JBroFuzz) •Online Add-ons Marketplace
  • 16. 16 The Additional Features • Auto tagging • Port scanner • Session comparison • Invoke external apps • API + Headless mode • Dynamic SSL Certificates • Anti CSRF token handling •
  • 17. 17 The Developer Features • Quick start • Intercepting proxy • Web client monitoring • WebSockets support • Standard/Protected/Safe • API + Headless mode • Java, Python… API clients • Anti CSRF token handling •
  • 18. ZAP 2.4.0 Splash Screen Unused tabs hidden Scan dialogs with advanced options Attack modes Advanced fuzzing Sequence scanning Access control testing
  • 19. ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
  • 20. ZAP – Get Involved https://code.google.com/p/zaproxy/wiki/GetInvolve
  • 21. Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”