Writing secure software is better than plugging holes. A high level of automation is essential for building security into your software development lifecycle.
David Tillemans, application security expert at Smals (www.smals.be), will talk about some standard security checks and demonstrate the essential testing tools.
Findbugs and PMD are well know open source tools offering great security oriented features.
ZAProxy, a web application security scanner developed by OWASP (Open Web Application Security Project), is great for testing the security issues of the web frontend. It can be integrated in your test driven development lifecycle. The session will demonstrate the integration of ZAproxy into Maven using a plugin and how to perform automatic web security scans based on your Selenium tests.
The Zed Attack Proxy (ZAP) is now one of the most popular OWASP projects.
It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing as well as being a useful addition to an experienced pen tester's toolbox.
Since its release in 2010 ZAP has gone from strength to strength and is now a flagship OWASP project, with new features being introduced that are currently unavailable in commercial products.
After introducing ZAP to those who have not used it before, Simon will focus on the latest changes to ZAP, including those made during the Google Summer of Code 2013 and innovative initiatives like Plug-n-Hack and the Zest scripting language.
Simon will also demonstrate soon to be released features that have not been seen before and are believed to be not currently possible using equivalent tools.
This session is a chance for people to learn how to work on ZAP from the ZAP Project Leader.
ZAP is a community project, and as such participation is actively encouraged.
Simon will explain the numerous ways in which individuals and companies can contribute to ZAP.
He will also explain how the code is structured and explain how any part of the project can be changed.
Working on ZAP is a great way to learn more about web application security.
Being able to change the code means that you can add and change any features you want, either just for you own benefit or to contribute back to the community. There will be time set aside for hacking ZAP, with Simon on hand to answer any questions and give any guidance required.
This is a great opportunity to be part of the fastest growing and most active OWASP project.
During this session, Simon will:
Explain how people can contribute to ZAP.
Demonstrate how to set up a ZAP development environment.
Explain ZAP code structure.
Show people how to code scripts, active/passive scan rules, add-ons, core changes and improve the docs and localization.
Let people hack the ZAP code and docs with full support and guidance.
Release description:This release includes the following significant changes:
Fuzzing: Strings in a response can now be fuzzed to try to find vulnerabilities. Anti CRSF tokens can be detected and automatically regenerated when fuzzing. This functionality is based on code from the OWASP JBroFuzz project.
Dynamic SSL certificates: The support for SSL connections was improved and simplified. User's can now create their own root certificate and distribute this into their HTTP clients.
Daemon mode: Starting ZAP with the "-daemon" command line option will cause it to run in the background in 'headless' mode, meaning that no UI is displayed.
API: An initial API has been implemented in XML, JSON and HTML.
Beanshell integration: The BeanShell is an interactive Java shell that can be used to execute BeanShell scripts. BeanShell integration in OWASP ZAP enables you to write scripts using the ZAP functions and data set.
Full internationalisation: All displayed strings are now fully internationalised.
Localisation: Out of the box support for the following languages: English, Brazilian Portuguese, Chinese, French, German, Greek, Indonesian, Japanese, Polish, Spanish