Podcasts about owasp zed attack proxy project

Simon Bennetts is the project leader for OWASP ZAP. Simon joined Robert at CodeMash to talk about the origin of ZAP, the new heads up display, and ZAP API. ZAP is an OWASP FlagShip Project and is available here: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project The post Simon Bennetts — OWASP ZAP: past, present, and future appeared first on Security Journey Podcasts.

番組へのフィードバック Twitterは#systemandまで！ iTunesレビューもしていただけると嬉しいです！ 今週のネタ OWASP Zed Attack Proxy Project ひらくPCバッグnano TVアニメ『ジョジョの奇妙な冒険 黄金の風』公式サイト GRIDMAN TWICE “YES or YES” M/V MOMOLAND「BAAM -Japanese ver.」 ※番組での出演者の発言は個人の意見であり、所属する組織とは一切関係ありません。

Hello from the Internet In this we count down the OWASP TOP 10 and explore the implications of each of the issues that we should be looking at in securing our applications. Enjoy the show! ## Show Notes - [OWASP](https://www.owasp.org/index.php/Main_Page) - [OWASP TOP 10 for 2017](https://www.owasp.org/images/7/72/OWASP_Top_10-2017_%28en%29.pdf.pdf) ### 10. Logs - Insufficient Logging and Monitoring - https://www.owasp.org/index.php/Top_10-2017_A10-Insufficient_Logging%26Monitoring - Graylog - https://www.graylog.org/ - Logstash (ELK) - https://www.elastic.co/elk-stack ### 09. Components - https://www.owasp.org/index.php/Top_10-2017_A9-Using_Components_with_Known_Vulnerabilities - Safety - Python - https://pyup.io/safety/ - Ruby - http://guides.rubygems.org/security/ - Node - Node Security - https://github.com/nodesecurity/nsp ### 08. Deserialization - https://www.owasp.org/index.php/Top_10-2017_A8-Insecure_Deserialization ### 07. XSS - https://www.owasp.org/index.php/Top_10-2017_A7-Cross-Site_Scripting_(XSS) ### 06. Security Misconfiguration - https://www.owasp.org/index.php/Top_10-2017_A6-Security_Misconfiguration - How to harden a Linux server: - https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-123.pdf - https://medium.com/viithiisys/10-steps-to-secure-linux-server-for-production-environment-a135109a57c5 - https://www.cyberciti.biz/tips/linux-security.html ### 05. Broken Access Control - https://www.owasp.org/index.php/Top_10-2017_A5-Broken_Access_Control - Firesheep - https://codebutler.com/projects/firesheep/ ### 04. XML External Entities - https://www.owasp.org/index.php/Top_10-2017_A4-XML_External_Entities_(XXE) - Billion Laughs Attack - https://en.wikipedia.org/wiki/Billion_laughs_attack ### 03. Sensitive Data Exposure - https://www.owasp.org/index.php/Top_10-2017_A3-Sensitive_Data_Exposure - PCI DSS - https://www.pcisecuritystandards.org/pci_security/ - GDPR - https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/ - Password Hashing - https://crackstation.net/hashing-security.htm - Best practice for SSL + TLS - https://www.ssllabs.com/ssltest/ - https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ - Let's Encrypt - https://letsencrypt.org/ - CipherList - Strong config for Apache / Nginx https://cipherli.st/ ### 02. Broken Authentication - https://www.owasp.org/index.php/Top_10-2017_A2-Broken_Authentication - Horse staple - https://xkcd.com/936/ - NIST - https://www.passwordping.com/surprising-new-password-guidelines-nist/ - Rainbow tables - http://project-rainbowcrack.com/table.htm - Google 2FA - Authy - https://authy.com/ - Duo - https://duo.com/ ### 01. Injection - https://www.owasp.org/index.php/Top_10-2017_A1-Injection - Bobby Tables - https://xkcd.com/327/ - Misc - Nessus - https://www.tenable.com/products/nessus/nessus-professional - OpenVas - http://www.openvas.org/ - ZED Attack Proxy - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project - zxcvbn: realistic password strength estimation - https://blogs.dropbox.com/tech/2012/04/zxcvbn-realistic-password-strength-estimation/ - Be afraid, be very afraid - https://attack.mitre.org/wiki/Main_Page

This week's tools, tips and ticks talk about OWASP Zap. The security testing proxy for your web application testing needs. Whether you are a developer or host an application you have a use for OWASP Zap.  OWASP Zap - https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project   Be aware, be safe. ------------------------------------ Website - https://www.binaryblogger.com Podcast Page - http://securityinfive.libsyn.com Podcast RSS - http://securityinfive.libsyn.com/rss Twitter @binaryblogger - https://www.twitter.com/binaryblogger iTunes - https://itunes.apple.com/us/podcast/security-in-five-podcast/id1247135894?mt=2 YouTube - https://www.youtube.com/binaryblogger TuneIn Radio - Security In Five Channel Spotify - Security In Five Podcast Page Email - contactme@binaryblogger.com  

Tweet this Episode Matias Korhonen has been writing Rails apps professionally at Kisko Labs, a Rails-focused software consultancy in Finland, for almost a decade. In his spare time he works on too many side projects (including Piranhas.co), a book price comparison site, and TLS.care (an SSL certificate monitoring service). He also somehow manages to find time to homebrew beer. The Rogues talk to Matias about securing your Rails applications. Rails comes with a lot of security features built in, but you can still leave yourself open to exploitation if you're not careful. Most of these problems occur in the portion of the app your write as opposed to the parts of the app that Rails handles for you. We go over several tools and techniques for making sure your application, access, and data are all secure. In particular, we dive pretty deep on: Tools that you can use to scan for vulnerabilities or add more security checks to your applications Authentication and authorization mistakes Securely managing data and much, much more... Links: secureheaders brakeman Code Climate CloudFlare zxcvbn Troy Hunt article on pwned passwords Devise Security Extension pundit Drifting Ruby episode on Complex Strong Parameters gemnasium bundler-audit OWASP Zed Attack Proxy Project rack-attack Picks: Brian: Regex 101 Give and Take by Adam Grant Eric: Indie Hackers Dave: Sumo Logic Chuck: Ready Player One Comic-Con trailer breakdown Mattermost Ruby Rogues Parley Ruby Dev Summit (FREE) Matias: Webpacker 3.0 ActiveStorage Heroku

Tweet this Episode Matias Korhonen has been writing Rails apps professionally at Kisko Labs, a Rails-focused software consultancy in Finland, for almost a decade. In his spare time he works on too many side projects (including Piranhas.co), a book price comparison site, and TLS.care (an SSL certificate monitoring service). He also somehow manages to find time to homebrew beer. The Rogues talk to Matias about securing your Rails applications. Rails comes with a lot of security features built in, but you can still leave yourself open to exploitation if you're not careful. Most of these problems occur in the portion of the app your write as opposed to the parts of the app that Rails handles for you. We go over several tools and techniques for making sure your application, access, and data are all secure. In particular, we dive pretty deep on: Tools that you can use to scan for vulnerabilities or add more security checks to your applications Authentication and authorization mistakes Securely managing data and much, much more... Links: secureheaders brakeman Code Climate CloudFlare zxcvbn Troy Hunt article on pwned passwords Devise Security Extension pundit Drifting Ruby episode on Complex Strong Parameters gemnasium bundler-audit OWASP Zed Attack Proxy Project rack-attack Picks: Brian: Regex 101 Give and Take by Adam Grant Eric: Indie Hackers Dave: Sumo Logic Chuck: Ready Player One Comic-Con trailer breakdown Mattermost Ruby Rogues Parley Ruby Dev Summit (FREE) Matias: Webpacker 3.0 ActiveStorage Heroku

Tweet this Episode Matias Korhonen has been writing Rails apps professionally at Kisko Labs, a Rails-focused software consultancy in Finland, for almost a decade. In his spare time he works on too many side projects (including Piranhas.co), a book price comparison site, and TLS.care (an SSL certificate monitoring service). He also somehow manages to find time to homebrew beer. The Rogues talk to Matias about securing your Rails applications. Rails comes with a lot of security features built in, but you can still leave yourself open to exploitation if you're not careful. Most of these problems occur in the portion of the app your write as opposed to the parts of the app that Rails handles for you. We go over several tools and techniques for making sure your application, access, and data are all secure. In particular, we dive pretty deep on: Tools that you can use to scan for vulnerabilities or add more security checks to your applications Authentication and authorization mistakes Securely managing data and much, much more... Links: secureheaders brakeman Code Climate CloudFlare zxcvbn Troy Hunt article on pwned passwords Devise Security Extension pundit Drifting Ruby episode on Complex Strong Parameters gemnasium bundler-audit OWASP Zed Attack Proxy Project rack-attack Picks: Brian: Regex 101 Give and Take by Adam Grant Eric: Indie Hackers Dave: Sumo Logic Chuck: Ready Player One Comic-Con trailer breakdown Mattermost Ruby Rogues Parley Ruby Dev Summit (FREE) Matias: Webpacker 3.0 ActiveStorage Heroku

Brett Whittington is concerned about security on data in motion. Note: I said "SSH" at one point, I meant SSL; Brett was too polite to point it out. I also made a mustard pun. Please send your hate tweets to @spetryjohnson. Show Notes: SSL Labs - SSL Server Test ZAPP from OWASP Jim Manico ("AppSec Enthusiast") on Twitter The DROWN attack Heartbleed Google's collision attack on two different documents 0 Day Exploit exposed by Wikileaks Innovative Codes explaining how HTTPS works J Wolfgang Goerlich ("hacker strategist") on Twitter Brett Whittington is on Twitter Want to be on the next episode? You can! All you need is the willingness to talk about something technical. Theme music is "Crosscutting Concerns" by The Dirty Truckers, check out their music on Amazon or iTunes.

"You can't automate all tests. There are a lot of things you can't find automatically. You have to have somebody who knows what they are looking for." -- Simon Bennetts In today's segment, I talk with Simon Bennetts, project lead for the OWASP Zed Attack Proxy Project or "ZAP" for short. Simon is working on a user friendly tool for integrated penetration testing of web applications. Our discussion took place at AppSec USA 2013. We begin with an overview of the ZAP project and talk about how it came about. About Simon Bennetts Simon Bennetts (a.k.a. Psiinon) has been developing web applications since 1997, and strongly believes that you cannot build secure web applications without knowing how to attack them. He works for Mozilla as part of their Security Team. Some of the projects Simon works on: -- OWASP Zed Attack Proxy project lead -- OWASP Vulnerable Web Applications Directory Project joint project lead -- Mozilla Zest project lead -- Mozilla Plug-n-Hack joint project lead -- Bodge It Store project lead -- OWASP Web Application Security Testing Cheat Sheet joint author -- OWASP AppSensor contributor -- wavsep contributor -- OWASP Data Exchange Format project lead (currently inactive)