Wednesday, January 30, 2013

OWASP Zed Attack Proxy v 2.0.0

There is a new version of the OWASP Zed Attack Proxy (ZAP) available right now, and there are so many changes in it that we’ve decided to call it version 2.0.0.

If you just want to get stuck in and download it then head over to : it's available for Windows, Linux and Mac OS. 

(Note that the Mac OS specific release is coming soon, but the Linux release is actually cross platform and will work fine on Macs)

And if you want to learn a bit more about the changes then read on...

We can only cover the new features at a high level in one blog post, but the plan is to host a Google hangout demonstrating many of these features at 17:00 UTC on Friday 8th Feb. Details to be announced via

Simon will also be presenting a talk at FOSDEM on Feb 2nd: Practical Security for developers, using OWASP ZAP

New features

An integrated add-ons marketplace
ZAP can be extended by add-ons that have full access to all of the ZAP internals. Anyone can write add-ons and upload them to the ZAP Add-on Marketplace (OK, so its a Google code project called zap-extensions, but you get the idea).
More importantly you can now browse, download and install those add-ons from within ZAP. Most add-ons can be dynamically installed (and uninstalled) so you wont even need a restart.
You can choose to be notified of updates, and even be automatically updated. And as the scan rules are now implemented as add-ons you can get the latest rules as soon as they are published.

A replacement for the 'standard' Spider
The ‘old’ Spider was showing its age, so its been completely rewritten, and is much faster and more comprehensive than the old one. This is still a 'traditional' spider that analyses the HTML code for any links it can find.

A new 'Ajax' spider
In addition to the 'traditional' spider we've added an Ajax spider which is more effective with applications that make heavy use of JavaScript. This uses the Crawljax project which drives a browser (using Selenium) and so can discover any links an application generates, even ones generated client side.

Web Socket support
ZAP now supports WebSockets, so ZAP can now see all WebSocket messages sent to and from your browser. As with HTTP based messages, ZAP can also intercept WebSocket messages and allows you to change them on the fly.
You can also fuzz WebSockets messages as well using all of the fuzzing payloads included in ZAP from projects like JBroFuzz and fuzzdb. And of course you can easily add your own fuzzing files.

Quick Start tab
The first main tab you will now see is a ‘Quick Start’ tab which allows you to just type in a URL and scan it with one click.
This is an ideal starting point for people new to application security, but experts can easily remove it if they find it distracting.

Session awareness
ZAP is now session aware, so it can recognise and keep track of multiple sessions. It allows you to create new sessions, switch between them, and applies to all of the other components, like the Spider and Active Scanner.

User defined Contexts
You can now define any number of ‘contexts’ - related sets of URLs which make up an application. You can then target all URLs in a context, for example using the Spider or Active Scanner. You can also add the contexts to the scope, and associate other information, such as authentication details.

Session scope
The session scope allows you to specify which contexts you are interested at any one time. You can restrict what you see in various tabs to just the URLs in scope, and prevent accidentally attacking URLs not in scope by using the Protected mode.

Different modes
ZAP now supports 3 modes:
    • Safe, in which no potentially dangerous operations permitted
    • Protected, in which you can perform any actions on URLs in scope
    • Standard, in which you can do anything to any URLs

A scripting console
This allows you to access any internal ZAP data structures dynamically using any scripting language that supports JSR 223,

Authentication handling
You can now associate authentication details with any context, which allows ZAP to do things like detect if and when you are logged out and automatically log you back in again. This is especially useful when used via the API in security regression tests.

More API support
The REST API has been significantly extended, giving you much more access to the functionality ZAP provides.

Fine grained scanning controls
The active scan rules can now be tuned to adjust their strength (the number of attacks they perform) and the threshold at which they report potential issues.

New and improved active and passive scanning rules
We have uploaded the results from running ZAP 2.0.0 against wavsep (the most comprehensive open source evaluation project we are aware of) to the ZAP wiki:

Many stability and usability fixes

Many thanks to everyone who has contributed code, language files, enhancement requests, bug reports and general feedback.
And a special mention to the 3 Google Summer of Code students who implemented key features in this release:
  • Cosmin Stefan : Spider and Session awareness
  • Guifre Ruiz : Ajax Spider
  • Robert Koch : WebSockets

If you have any questions about this release then you can add a comment here or post them to the ZAP users group.

Friday, January 25, 2013

OWASP AppSecEU Research 2013: CfPs released

Hi folks,

After having some luck and with a little bit of work in order to constitute two splendid program committees we're just released the "Call for Ps". One for the research track, one regular industry tracks:

If you think you can contribute with your presentation or paper something to the topics listed in the CfPs, you're
cordially invited to submit a proposal.

We look forward to a great http://AppSec.EU/ conference this August in Hamburg.

Feel free to spread the word.


Dirk Wetter

Tuesday, January 22, 2013

Premier Software Security Conference Boots Up in NYC, November 18-21

Premier Software Security Conference Boots Up in NYC, November 18-21

Software powers the world, but inadequately secured software threatens safety, trust and economic growth; AppSec USA 2013 calls all Builders, Breakers and Defenders

NEW YORK, NY January 22, 2013— AppSec USA 2013 (, the premier software security conference for Builders, Breakers and Defenders, will be held November 18-21 at the Marriott Marquis, in Times Square, New York City. Now in its ninth year, AppSec USA brings together leading global experts in software security for four days of discussion, training, exhibition and competition.

"OWASP is consistently the best security conference I attend every year," said Stephan Debelle, Security Analyst, Unilever. "As an East Coast conference, it is a must-attend event for all executives and technologists involved in business application software. I have met senior security officers from Goldman Sachs, UBS, Morgan Stanley and other leading firms, along with representatives of the Federal Government. AppSec USA is a great investment, whether you are a vendor or a security professional who wants to keep abreast of how and where the next wave of cyber-attacks will come from."

"Sony, Global Payments, Yahoo, Wyndham, eHarmony, Zappos, Wells Fargo and countless other organizations have experienced data breaches in the past year," said Tom Brennan, International Board of Directors, OWASP. "At AppSec USA 2013, we will hold spotlights on the adversaries’ latest techniques and share first-hand experience and advanced research that attendees need to develop a risk-based strategy."

Established in 2004, AppSec USA is the marquee North American conference from the OWASP Foundation Inc., a global, free and open non-profit community focused on improving the security of application software. As in previous years, AppSec USA 2013 will include a hands-on hacking capture-the-flag competition, along with extensive hands-on training and an exhibition hall featuring the most exciting companies in the software security industry.

"OWASP is an organization that professionals in the software security field should consider joining," said Joe Bernik, Head of Global Technology Risk Management, The Bank of New York Mellon. "In addition to providing the latest news and updates on the industry, they give great guidance on the latest tools as they become available and also have some of the brightest individuals in our field to judge your code. Additionally it's a great organization for networking."

Five Reasons to Attend AppSec USA 2013:
1. Insightful keynote addresses delivered by leading industry visionaries from thought leaders of critical infrastructure.
2. Over 50 sessions across 4 tracks (Builder/Breaker/Defender) with world-renowned subject matter experts
3. Over 2,000 attendees exclusively focused on Software Security
4. 30-minute, 60-minute and 90-minute sessions are offered so you can acquire more knowledge and maximize your Conference learning experience
5. Convenience of Midtown Manhattan

Past attendees of AppSec USA have included representatives from Adobe, Akamai, Amazon, Bank of New York Mellon, Cisco, Cox Communications, Electronic Arts, Exxon Mobile, Facebook, Goldman Sachs, JP Morgan, Square, Twitter, Morgan Stanley, Lockheed Martin, Oracle, UBS, Unilever, Visa, Medco, Pfizer, Roche, Cushman & Wakefield, Wells Fargo. For more information, including sponsorship and early-bird discounts, visit:

Monday, January 7, 2013

Registration now open for AppSec APAC 2013!

We are pleased to announce that registration is now open for AppSec APAC 2013. Please visit the website for more information on how to register for the event.

The OWASP South Korea chapter will host the OWASP AppSec APAC 2013 conference in Jeju, South Korea at the Hyatt Regency Jeju. The event will be composed of 2 days of training (February 19-20), followed by 2 days of conference talks (February 21-22). 

Chapter Leader Workshop

Sign up for the chapter leader workshop taking place on Wednesday evening, February 20th from 6:30 to 9:30 pm. The Chapter Leader Workshop will continue to follow the Q & A format used during AppSec USA and AppSec LATAM. Questions and discussion will focus on sections of the Chapter Leader Handbook, OWASP Global Chapter resources, and local chapter challenges. Dinner will be provided for workshop participants.

To confirm your participation in the event, register for the conference and be sure to select "Chapter Leader Workshop" as an optional registration item. Please make sure you register before January 8th 2013 to ensure you are allocated a spot at the workshop.


Training Classes have now been posted to the website. See below for a sneak peek at some of our class offerings. Please visit the Appsec APAC 2013 website for the complete list. 

Two Day Training Courses

• Advanced Android and iOS Hands-on Exploitation Course: This fast-paced workshop will get you familiar with the various Android as well as iOS exploitation techniques, and bypassing most of the existing security models in both of the platforms. We will also discuss about a framework, which we have made for Android Exploitation, named as the Android Framework for Exploitation, which will help security researchers to perform automated and in-depth analysis of bug hunting and security assessment of Android Application and platforms.

• HACKED - The OWASP Top 10 - Incident Response: After completing this course, you will possess the skills to successfully conduct a basic network intrusion investigation that adheres to a formal methodology to ensure the admissibility of evidence in a court of law and ultimately increases the chances of apprehending the intruder. You will engage in hands-­‐on labs and instructor demos of network intrusion concepts in a “real-­‐world” environment. The real-­‐world environment is made possible through the use of Virtual Machines (VMs). Each VM is pre-­‐configured to mimic the different Operating Systems(OSs), network environments and intrusion issues that you may encounter.

One Day Training Courses

• CISO training: Managing Web & Application Security for Senior Managers: Setting up, managing and improving your global information security organisation using mature OWASP projects and tools. Achieving cost-effective application security and bringing it all together on the management level. How to use and leverage OWASP and other common best practices to improve your security programs and organization. The workshop will also discuss a number of quick wins and how to effectively manage global security initiatives and use OWASP tools inside your organisation. The author has extensive experience of managing his own secure development organization as well as advising to improve a number of global secure development organisations and processes.

• Approaching Secure Code – Where do I start?: Regardless of your chosen/mandated framework for building web applications: Spring, Struts, Rails, PHP, Python, etc., you want to make your life easier, and potentially less embarrassing. Don’t be the one who left the door open for hackers. Learn handy tips from one of the world’s leading AppSec experts.


Keynote speakers and presentations have now been selected and posted. Please visit the Appsec APAC 2013 website for more information, and for the complete list of speakers.  


Speakers for the conference have now been selected and posted. Please visit the Appsec APAC 2013 website for a complete list of speaker bios and talk descriptions. 

If you have any questions, please email the conference committee:

Friday, January 4, 2013

Welcome 2013 - This is YOUR Year!

Happy New Year!

2012 is now part of our past experience and many of us are looking for opportunities to challenge ourselves in the coming year.  If you have resolved to expand your professional network, increase your industry knowledge and skills, or to make a difference in the security and safety of our expanding cyber world, please step forward and GET INVOLVED!
The Open Web Application Security Project (OWASP) is a 501(c)(3) worldwide not-for-profit charitable organization focused on improving the security of software. Our mission is to make software security visible, so that individuals and organizations worldwide can make informed decisions about true software security risks.
OWASP is a Platform organization.  This means that our community drives our direction.  You are invited to participate in the first series of Global Meetings to help set that direction and to find opportunities to help drive our mission.

First Meetings will be held January 10th 2013 at 9am and again at 9pm EST

To register for the 9am meeting, reserve your webinar seat now at: 
To register for the 9pm meeting, reserve your webinar seat now at: 

This year is going to be spectacular!  Please don't miss out on the opportunity to make a difference in your profession!