Call for assistance - ZAP automation

[psiinon]

Hi folks,

We already have some ZAP automation tasks (managed by ZAPbot: http://zapbot.github.io/zap-mgmt-scripts/index.html), doing things like:

• Submitting PRs from Crowdin
• Gathering stats
• Running ZAP against wavsep and wivet

However they are running on VMs that only I can access, and as a result they are very hard for the ZAP team as a whole to manage.

I think it would be better if they were migrated to something like Google Cloud Kubernetes Engine - that should be pretty cheep and in any case we have money in the budget to pay for things like that.

I'd also like to expand the automation to test ZAP against even more vulnerable web apps, such as the OWASP Benchmark.

Unfortunately the ZAP core team are all _really_ busy trying to get 2.8.0 released :/

So .. does any one here fancy giving us a hand?

You don't need to know java, although some limited python experience would help.

You also dont have to be a ZAP expert user either, we can definitely advise with that side.

It would be a good opportunity to play around with some relatively new tech, learn more about ZAP automation and of course to help us out :)

Many thanks,

Simon

[Aidan Feldman]

I'm interested! Is there a good small sub-project to start with?

[jraw...@gmail.com]

I see a major opportunity people are missing with the migration to "cloud platforms" as far as vulnerable web apps that is a never ending job because they are all going to be. But the experts migrating to cloud are going to be in for a huge surprise when they lose control of everyone's data. Lots of pen testing challenges and fun.

On Sunday, December 30, 2018, 1:00:54 PM CST, Aidan Feldman <aidan....@gmail.com> wrote:

I'm interested! Is there a good small sub-project to start with?

On Wednesday, November 14, 2018 at 6:15:40 AM UTC-5, psiinon wrote:

Hi folks,

We already have some ZAP automation tasks (managed by ZAPbot: http://zapbot.github.io/zap- mgmt-scripts/index.html), doing things like:

• Submitting PRs from Crowdin
• Gathering stats
• Running ZAP against wavsep and wivet

However they are running on VMs that only I can access, and as a result they are very hard for the ZAP team as a whole to manage.

I think it would be better if they were migrated to something like Google Cloud Kubernetes Engine - that should be pretty cheep and in any case we have money in the budget to pay for things like that.

I'd also like to expand the automation to test ZAP against even more vulnerable web apps, such as the OWASP Benchmark.

Unfortunately the ZAP core team are all _really_ busy trying to get 2.8.0 released :/

So .. does any one here fancy giving us a hand?

You don't need to know java, although some limited python experience would help.

You also dont have to be a ZAP expert user either, we can definitely advise with that side.

It would be a good opportunity to play around with some relatively new tech, learn more about ZAP automation and of course to help us out :)

Many thanks,

Simon

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/6a2c4a2c-d3b6-43a1-9c6c-ddddc7d40f00%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[hauschu...@gmail.com]

I have an interest as well!

[jraw...@gmail.com]

Google cloud is a joke

Sent from Yahoo Mail on Android

On Sun, Dec 30, 2018 at 1:00 PM, Aidan Feldman

<aidan....@gmail.com> wrote:

I'm interested! Is there a good small sub-project to start with?

On Wednesday, November 14, 2018 at 6:15:40 AM UTC-5, psiinon wrote:

Hi folks,

We already have some ZAP automation tasks (managed by ZAPbot: http://zapbot.github.io/zap- mgmt-scripts/index.html), doing things like:

• Submitting PRs from Crowdin
• Gathering stats
• Running ZAP against wavsep and wivet

However they are running on VMs that only I can access, and as a result they are very hard for the ZAP team as a whole to manage.

I think it would be better if they were migrated to something like Google Cloud Kubernetes Engine - that should be pretty cheep and in any case we have money in the budget to pay for things like that.

I'd also like to expand the automation to test ZAP against even more vulnerable web apps, such as the OWASP Benchmark.

Unfortunately the ZAP core team are all _really_ busy trying to get 2.8.0 released :/

So .. does any one here fancy giving us a hand?

You don't need to know java, although some limited python experience would help.

You also dont have to be a ZAP expert user either, we can definitely advise with that side.

It would be a good opportunity to play around with some relatively new tech, learn more about ZAP automation and of course to help us out :)

Many thanks,

Simon

[kingthorin+owaspzap]

If you could be more specific that might actually help the conversation and give the opinion some weight.

[psiinon]

Aiden, hauschulzpeter,

Thanks for offering to help out :)

I've included you on a related email thread.

Cheers,

Simon

[Ben Beale]

I am also interested!

On Wednesday, November 14, 2018 at 6:15:40 AM UTC-5, psiinon wrote:

[Lohitha Perera]

I'm interested in this and willing to help. Since we use zap heavily on our testing want to contribute.

[Anabel Mediavilla Garay]

We don't need help. We have solved everything

Thanks

Anabel

El jue., 10 ene. 2019 7:12, Lohitha Perera <lohitha...@gmail.com> escribió:

I'm interested in this and willing to help. Since we use zap heavily on our testing want to contribute.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.

To view this discussion on the web, visit https://groups.google.com/d/msgid/zaproxy-develop/1f29bd0b-b88b-468b-b12f-1cef913e5df5%40googlegroups.com.

[psiinon]

Thank you to everyone who's been in touch about this.

The various email threads that started as a result have been getting too hard to manage, so I've started a Google Group: https://groups.google.com/forum/#!forum/zaproxy-ops

If you are still interested in helping out with ZAP automation then please join this group, say what you are interested in and let everyone know if you've looked into anything.

Many thanks,

Simon