Argument against installing ZAP

[John B]

I have had a discussion with my company's security team who say us developers can't install ZAP on our laptops.

ZAP is a tool made for developers, so does anyone know of a justification as to why it shouldn't be installed? My understanding is that if my laptop was compromised, and an attacker accessed ZAP, they could use it to compromise some applications, but if they already had access to my laptop, why would an attacker need to do that? I feel they're being overcautious but not sure how to reply.

Thanks all.

[Simon Bennetts]

This is tricky as different companies have a different approach to risk.

Are you actually prevented from installing SW on your machine, eg via permissions?

If not then you are absolutely right - if an attacker compromised your laptop then they could install ZAP, or more likely something much more malicious.

I'm used to working in companies which trust their developers and have allowed me to install any tools I think I need.

This seems to me to be a very health attitude - if you dont trust your devs then you have serious problems ;)

However I do know that some companies have policies that mean all software installed must be approved.

Its definitely worth talking to your security team and trying to understand what their concerns are. And trying to convince them that this policy might not actually be doing any good ;)

If they cant be convinced of that then you could ask them if they would be happy to run ZAP against your apps, eg in a staging environment?

Thoughts from anyone else?

Cheers,

Simon

[Simon Bennetts]

As a follow up, I think the key point is that you should stress that using security tools like ZAP will mean that you will be able to find and fix security issues much earlier in the dev lifecycle.

This should make your organisation more secure rather than less!

[Simon Bennetts]

I've also asked this on twitter - see the replies https://twitter.com/psiinon/status/1331903450825822214

John - happy to talk to one of your company's security team if they're ok with that :)

Cheers,

Simon

[John B]

Thanks, Simon, really appreciate your help. The argument (as far as I know) is that the company has a whitelist of allowed tools, and ZAP isn't one of them. I think it's just the security team saying no by default. I was trying to make the argument that there was no security risk to installing ZAP, as in order to be useful to an attacker they would have had to already have full access to my laptop, by which point they probably don't really need to start pen testing applications for further access i.e. ZAP doesn't give any real benefit to an attacker with local access already. I shall forward on that twitter thread and this thread. Thank you, Simon.

[Matt Seil]

I've worked in airgapped compliance-driven environments before.  Normally--and this is just being bluntly honest--the 'security' folks you're dealing with understand compliance and come from a mindset 'well of course everybody follows the rules' when attackers quite simply never do and never will;  you can't fight bad guys if you hamstring your defenders by disallowing them to utilize the same tools and techniques that the bad guys will.  And NO hacks I'm aware of centered on executing ZAP.  Generally speaking, when an organization gets hit, they get hit by phishing, and if they can drive-by-download random people in your company, the last thing they're going to care about is "Hey, this machine's running ZAP!  I bet we can use that!"  The amount of damage they can do is far more severe than this.

I'll even offer myself up for a conversation here.  I'm the project co-lead on OWASP's ESAPI-Java-Legacy and have been bringing tools like ZAP to developers for well over 11 years now, including DoD customers.  As a matter of fact when I was still "just a developer" you'd never find me without a web proxy tool in my toolchain because it radically speeds up your ability to troubleshoot various problems. 

--
You received this message because you are subscribed to the Google Groups "OWASP ZAP User Group" group.
To unsubscribe from this group and stop receiving emails from it, send an email to zaproxy-user...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/zaproxy-users/190e63a6-9210-4680-a982-8d5dd2aaa78an%40googlegroups.com.

[Simon Bennetts]

Thanks Matt - great input.