Thursday, 13 September 2012

OWASP ZAP – the Firefox of web security tools

The OWASP Zed Attack Proxy (otherwise known as ZAP) is a free security tool which you can use to find security vulnerabilities in web applications.
My name is Simon Bennetts, and I am the ZAP Project Leader; there is also an international group of volunteers who develop and support it. Future posts on this blog will describe the features that ZAP provides and how you can use them, but this post will concentrate on the philosophy behind ZAP.
Some of the ideals that have driven ZAP are listed below and will be expanded upon in the rest of this post:
  • help users develop and apply application security skills
  • build a competitive, open source, and community oriented platform
  • provide an extensible platform for testing
  • designed to be easy to use
  • raise the bar for other security tools

Helping users learn about Application Security

Unlike many security tools ZAP is designed to be used by people new to application security as well as security professionals.
My background is in development, and I started playing around with the Paros Proxy (from which I forked ZAP) as a way to learn about security tools. Helping people to learn about application security has been, and will remain, an essential goal for ZAP.
The open nature of ZAP is key here – users can delve into the code to see how it works. Anyone who thinks they can make an improvement has the opportunity to implement those changes, feed them back and be credited for them. Developers can work on ZAP to help them learn about security, and security people can work on ZAP to help them learn about coding.

An Open Source, Community based project

Like all OWASP projects, ZAP is open source and completely free to use. This means that there is no ‘pro’ version, so there is no incentive for us to hold back features for the ‘paid-for’ version. ZAP is also a community based project, which is an important distinction when compared with some other tools.
There are many security tools that are open source but are still tightly controlled by one individual or company. While a user can see how these products work it is often difficult to change them or influence their direction.
Anyone can get involved with the ZAP development – once someone has shown that they can produce good quality code and conform to ZAP guidelines then they can get commit access!
There are plenty of opportunities for non coders to get involved too – testing, documentation, training videos, translating – all contributions are welcomed and credited.

An Extensible platform for testing web applications

In addition to improving the core feature set for ZAP, we are working to ensure that as much of ZAP functionality is implemented as extensions or addons, which can easily be added to existing ZAP releases. This means that new features can be added dynamically without having to wait for full ZAP releases, and also means that we can accommodate features that will only appeal to a small subset of our users.
The ZAP community is very supportive of people who want to learn about coding or security, and we have just benefited from 3 students producing excellent enhancements to ZAP as part of the Google Summer of Code.

Ease of use as a design goal

We realize that developers and functional testers will probably spend a relatively small amount of time using security tools, so we want ZAP to be as intuitive as possible.
But we try to maintain a balance between making things as simple as possible while at the same time not over simplifying them.
While there is no ‘big red button’ in ZAP which will solve all of your security problems,
ZAP provides a set of automated tools which will help individuals assess the security of applications.
ZAP also provides a set of manual tools which can be used by people with more knowledge, which is one of the reasons it has been so enthusiastically adopted by professional pentesters. Inexperienced users can start off using the automated tools and gradually use more and more of the manual features as they improve their knowledge of application security.

Raising the bar for security tools

Another way ZAP can help application security in general is by raising the bar for other security tools, commercial or otherwise. Other products are free to reuse our source code (with acknowledgement;) and also free to copy or be ‘inspired’ by features that are implemented in ZAP.
In fact we welcome such reuse as it will provide the following benefits:
  • improving other tools, which increases user choice
  • broadens the availability of effective security tools
  • allows feature parity across tools which will drive innovation and competition

Conclusion

In conclusion, ZAP is a free, open-source community developed tool aimed at making the online world more secure. Anyone can get involved developing the core engine, or by creating addons which have full access to the core functionality. And that will probably sound vaguely familiar as its very close to the philosophy behind Mozilla Firefox.
Its why I’m working for Mozilla as a security automation engineer, and the justification for this blog’s title:)
If you have any interest in application security then you should download ZAP and try it out. And if you would like to learn more, or help to make ZAP better then please get in touch with me.

Simon Bennetts
OWASP ZAP Project Lead
Mozilla Security Automation Engineer

2 comments:

  1. First of all, thanks a lot for this great tool. I installed this a couple of days ago and the first thing that I noticed that it has a great user interface !!

    I am a beginner in Security Testing and I have used a couple of tools like BurpSuite (free version) and Paros Proxy. Burp has a 'pro' version and Paros Proxy has not been updated for a long time now.

    I have to admit ZAP is far much better than these two in terms of UI and the different working tabs that have been provided. Would be too early to comment on the scanning functionality since I've just started using it.

    Having said that, I did run into a problem with the HTML report that was generated after scanning a vulnerable application. The report had redundant vulnerabilities. Not sure why. Also, it was missing some general information like the website host and headers.

    Also,I am not sure whom I should contact if I want to contribute as a tester for ZAP. Kindly let me know.

    Thanks,
    Anuj Sharma

    ReplyDelete
  2. Hi Anuj,

    Glad you like it :)
    You can either raise issues and/or enhancement requests via the issues page: http://code.google.com/p/zaproxy/issues/list or you can post about them on the dev group: http://groups.google.com/group/zaproxy-develop or just email me directly (psiinon(at)gmail.com)

    All help is appreciated!

    Many thanks,

    Simon

    ReplyDelete