ZAP Summit at AppSec EU

129 views
Skip to first unread message

psiinon

unread,
Jan 16, 2015, 5:15:01 AM1/16/15
to zaproxy...@googlegroups.com
We are going to have the very first official ZAP Summit at AppSec EU in Amsterdam on Wednesday 20th May.

This is an opportunity to discuss all aspects of ZAP development and future developments. It is not planned to include any training on how to use ZAP.

If you'd like to attemd please register via https://www.eventbrite.co.uk/e/owasp-zap-summit-tickets-15355748457

Admission is free - you do not have to attend any of the other AppSec EU events.

What will we actually discuss?
Thats up to you - please post suggestions here!

Hope to see as many of you as possible there :)

Cheers,

Simon



Colm O'Flaherty

unread,
Jan 16, 2015, 3:50:23 PM1/16/15
to zaproxy...@googlegroups.com

Count me in. The registration page isn't working for me though.

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP Developer Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-devel...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

psiinon

unread,
Jan 17, 2015, 6:35:48 AM1/17/15
to zaproxy...@googlegroups.com, colm.p.o...@gmail.com
Have you got your notification email now?
I got a copy of it :)
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-develop+unsubscribe@googlegroups.com.

kingthorin+owaspzap

unread,
Jan 26, 2015, 4:39:51 PM1/26/15
to zaproxy...@googlegroups.com
Awwww man I wish I could but the airfare is like $1200+ CAD and the conference is ~$800 CAD. Sadly I have trouble getting work to cover even local conferences let alone something in Europe or the US.


psiinon

unread,
Jan 27, 2015, 5:17:42 AM1/27/15
to zaproxy...@googlegroups.com
Thats a shame :(

kingthorin+owaspzap

unread,
Jan 27, 2015, 9:10:06 AM1/27/15
to zaproxy...@googlegroups.com
No worries. One of these days I'll manage to swing something in the US or convince you guys to visit Canada for something I'll be attending :)

Albert Tresens

unread,
Feb 19, 2015, 4:54:33 AM2/19/15
to zaproxy...@googlegroups.com
Hi Simon,

Count on me, ZAP coming to my city. Just printed my ticket. 

psiinon

unread,
Feb 23, 2015, 11:30:56 AM2/23/15
to zaproxy...@googlegroups.com
I've been asked to provide an agenda for the summit, so heres my first attempt:

The ZAP summit is aimed at existing and prospective ZAP developers and is an opportunity to discuss all aspects of ZAP development and future direction.
It is not planned to include any training on how to use ZAP.

The exact topics discussed will be agreed between the attendees at the start of the day, but are expected to cover things like:
  • An introduction to ZAP and the attendees
  • A review of ZAPs perceived strengths and weaknesses
  • Discussions around the future direction of ZAP
  • Areas of ZAP that people find difficult to contribute to
  • Components of ZAP that attendees think need significant reworking
  • How to encourage more participation
  • Interworking with 3rd party tools
  • The opportunity to focus on specific areas of interest to the attendees

Does that sound ok?

I want the day to be flexible so that we can tailor it to match the interests and expectations of the people who attend, but I also understand that an agenda helps focus minds :)

Cheers,

Simon

psiinon

unread,
May 13, 2015, 5:04:50 AM5/13/15
to zaproxy...@googlegroups.com, psi...@gmail.com
So the very first ZAP Summit is a week away!

Any thoughts on the topics I suggested below?

Not surprisingly we will be focusing on the topics the attendees want to discuss, but suggestions from people who cant make it are also very much appreciated!

Cheers,

Simon

Dmitry Savintsev

unread,
May 17, 2015, 4:37:17 PM5/17/15
to zaproxy...@googlegroups.com
I would suggest considering the following topics:

- CD/CI (Continuous Development / Continuous Integration) of ZAP and extensions (how it would be done after move to Github - through Travis? any pieces that are missing and need to be added?  What are the priorities, sub-projects, and who will be working on them?)

- Contributions and Code Review process and guidelines after move to GitHub.  It would be great to have CONTRIBUTING.md file in the root directory (as described in https://github.com/blog/1184-contributing-guidelines) with the main information for active and prospective contributors (how to submit a contribution, any style guidelines (even if just "follow the style of the surrounding code"), how to verify that you didn't break the build, requirements for the commit messages and the history style (like "rebase away the non-significant commits like 'ouch... yet another typo fixed'"), etc.  

- Code Reviews - should GitHub Pull Requests be used after the move, or would it be possible / desirable to configure and use a different system such as Gerrit (which is used for example by Android: https://source.android.com/source/life-of-a-patch.html)?  If so, GerritHub could be an option - see http://gerrithub.io/, https://review.gerrithub.io/Documentation/index.html  and https://review.gerrithub.io/Documentation/intro-quick.html

- Commits and ownership - I see that there are currently 49 committers for the project.  Will all those 49 people get commit rights for the zaproxy github repository?  Or should there be a different system where a few project members would be designated as owners and committers (possibly for specific areas of code and project), and rest of contributors would submit their change requests in some form (like Pull Requests) which after review and approval would be merged in by the owners.  This could help the designated owners to maintain and promote consistent quality standards (overall project direction, system architecture, coding style, testability and test coverage, etc.)

- Copyright clarification and guidelines.  I'm new to the project and could miss project rules and conventions - but looking for example at https://code.google.com/p/zaproxy/source/browse/trunk/src/org/zaproxy/zap/httputils/HtmlContext.java I see no Copyright header which begs a question "Who owns this code?"...  Should there be a copyright header in source code files?  I know that there is a Copyright statement on the start-up banner: "Copyright (C) 2010-2015 OWASP ZAP Project" - but should it be also in the code in every file? (I'm a developer and not a lawyer but I would think that having such would help to avoid potential complications for example in case someone copies a file into a different project and claims the copyright, etc.)   Is there (or should there be) a description of who the copyright holder is?  Should the list of ZAP contributors be maintained in the source control (as is done, for example, in https://github.com/golang/go/blob/master/AUTHORS and https://github.com/golang/go/blob/master/CONTRIBUTORS?  Is there need or plans for a CLA process? if so, GitHub has a CLAbot that could be useful: http://clabot.github.io/https://github.com/clabot/clabot 

I'll be able to attend only a later portion of the summit as I arrive to Amsterdam midd-day but I'm looking forward to meeting you guys and learning more about the zaproxy project and development!  I will also present a talk about security scanning on Friday http://sched.co/375P ("Finding Bad Needles on a Worldwide Scale") and hope to see many of you there!  My modest contributions to the ZAP project so far consist of opening recently a few issues with "XSS" in the subject found in the course of doing research for that talk.

Cheers,

Dmitry 
@dimisec
Reply all
Reply to author
Forward
0 new messages