SlideShare ist ein Scribd-Unternehmen logo

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Dot Net Bangalore Nov 28 2015 Marudhamaran Gunasekaran

Als ODP, PDF herunterladen
G
gmaran23

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Dot Net Bangalore Nov 28 2015 Marudhamaran Gunasekaran https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI2

Technologie
1 von 21
The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Dot Net Bangalore Bangalore 28 Nov 2015 Automating Web Application Security Testing with OWASP ZAP DOT NET API The OWASP Zed Attack Proxy https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI2 Marudhamaran Gunasekaran Zap Contributor @gmaran23
2 Prelude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
3 Agenda • Application Security Program Challenges • Why OWASP ZAP? • Earlier episodes on Dot Net Security and OWASP ZAP • ZAP – Operating Modes • • •
4 The problems • Most developers know very little about security • Most companies have very few application security folks • External consultants cost $$$$$ • Security testing is done late in the application development lifecycle (it at all is done)
5 Part of the Solution • Use a security tool like ZAP in development • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
6 Why ZAP? •An easy to use webapp pentest tool •Completely free and open source •Source code updated almost every day •One of the OWASP Flagship projects •Ideal for beginners, But also used by professionals • •Powerful API - for automated security tests
7 The app sec foundations • Vulnerability Analysis – Look for weak spots • Penetration Testing – Exploit the weaknesses • Security Testing – May involve both or just VA
8 The app sec tool foundations • Spider or Crawler – Gather information about what to attack • Passive Scan – Static analysis on the gathered information (HTTP requests and responses) • Active Scan – Send attack (potentially harmful) payloads to exploit / confirm weakness
9 The app sec tool foundations • Download OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Prox
10 ZAP API demo Headless attack!
11 Introducing the OWASP ZAP DOT NET API https://www.nuget.org/packages/OWASPZAPDotNetAPI/
12 OWASP ZAP DOT NET API Source Code and Sampleshttps://github.com/zaproxy/zap-api-dotnet
13 Automating authenticated scans 1. Create a context in the name of the application 2. Choose the mode of authentication (for instance Forms Authentication) 3. Provide Authentication information 4. Spider 5. Scan 6. Verify 7. Fix
14 Security Regression Testing Well, let me watch you here!
15 Security Regression Testing Well, let me watch you here!
ZAP – Need Help? ZAP user group - https://groups.google.com/forum/#!forum/zaproxy-users ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy-develo
ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
Any Questions? http://www.owasp.org/index.php/ZAP
20 Postlude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
21 Postlude - Extended • OWASP App sec tutorial series https://www.youtube.com/user/AppsecTutorialSeries • OWASP ZAP – Ajax Spidering with Authentication http://wp.me/p323iP-en • Cross Site Scripting [XSS] http://wp.me/p323iP-es • XML – Attack surface and Defenses http://wp.me/p323iP-cU • Sql injection exploitation and prevention part 1 http://wp.me/p323iP-bi • Sql injection exploitation and prevention part 2 http://wp.me/p323iP-by

Empfohlen

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...gmaran23
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap itvodqancr
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Continous Integration of (JS) projects & check-build philosophy
Continous Integration of (JS) projects & check-build philosophyContinous Integration of (JS) projects & check-build philosophy
Continous Integration of (JS) projects & check-build philosophyFrançois-Guillaume Ribreau
 
Pythonista も ls を読むべきか?
Pythonista も ls を読むべきか?Pythonista も ls を読むべきか?
Pythonista も ls を読むべきか?Katsunori FUJIWARA
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 

Empfohlen

Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...
Practical Security Testing for Developers using OWASP ZAP at Dot Net Bangalor...gmaran23
 
Continuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityContinuous and Visible Security Testing with BDD-Security
Continuous and Visible Security Testing with BDD-SecurityStephen de Vries
 
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...
Beefing Up Security In ASP.NET Part 2 Dot Net Bangalore 4th meet up on August...gmaran23
 
Security testing zap it
Security testing zap itSecurity testing zap it
Security testing zap itvodqancr
 
Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Agile Secure Software Development in a Large Software Development Organisatio...
Agile Secure Software Development in a Large Software Development Organisatio...Achim D. Brucker
 
Continous Integration of (JS) projects & check-build philosophy
Continous Integration of (JS) projects & check-build philosophyContinous Integration of (JS) projects & check-build philosophy
Continous Integration of (JS) projects & check-build philosophyFrançois-Guillaume Ribreau
 
Pythonista も ls を読むべきか?
Pythonista も ls を読むべきか?Pythonista も ls を読むべきか?
Pythonista も ls を読むべきか?Katsunori FUJIWARA
 
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataAppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on Data
AppSec Survey 2.0 Fine-Tuning an AppSec Training Program Based on DataDenim Group
 
Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsJames Wickett
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiStephen de Vries
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbersAPNIC
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Building Risk Management into Enterprise Architecture
Building Risk Management into Enterprise ArchitectureBuilding Risk Management into Enterprise Architecture
Building Risk Management into Enterprise Architectureiasaglobal
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 
Integración contínua con Jenkins
Integración contínua con JenkinsIntegración contínua con Jenkins
Integración contínua con JenkinsCésar Hernández
 
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014Amazon Web Services
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOpsSeniorStoryteller
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 
First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
 

Weitere ähnliche Inhalte

Andere mochten auch

Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsJames Wickett
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015Aaron Weaver
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testingseleniumconf
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiStephen de Vries
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbersAPNIC
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And AnalysisLalit Kale
 
Building Risk Management into Enterprise Architecture
Building Risk Management into Enterprise ArchitectureBuilding Risk Management into Enterprise Architecture
Building Risk Management into Enterprise Architectureiasaglobal
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous IntegrationStephen de Vries
 
Integración contínua con Jenkins
Integración contínua con JenkinsIntegración contínua con Jenkins
Integración contínua con JenkinsCésar Hernández
 
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014Amazon Web Services
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!Matt Tesauro
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityJames Wickett
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityAlert Logic
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConStephen de Vries
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & NowCheckmarx
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Stephen de Vries
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everDevSecCon
 

Andere mochten auch (20)

Rugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOpsRugged DevOps: Bridging Security and DevOps
Rugged DevOps: Bridging Security and DevOps
 
DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015DevOps AppSec Pipeline Velcocity NY 2015
DevOps AppSec Pipeline Velcocity NY 2015
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Automated Security Testing
Automated Security TestingAutomated Security Testing
Automated Security Testing
 
Continuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinkiContinuous Security Testing in a Devops World #OWASPHelsinki
Continuous Security Testing in a Devops World #OWASPHelsinki
 
Cybersecurity by the numbers
Cybersecurity by the numbersCybersecurity by the numbers
Cybersecurity by the numbers
 
Threat Modeling And Analysis
Threat Modeling And AnalysisThreat Modeling And Analysis
Threat Modeling And Analysis
 
Building Risk Management into Enterprise Architecture
Building Risk Management into Enterprise ArchitectureBuilding Risk Management into Enterprise Architecture
Building Risk Management into Enterprise Architecture
 
Automating security tests for Continuous Integration
Automating security tests for Continuous IntegrationAutomating security tests for Continuous Integration
Automating security tests for Continuous Integration
 
Integración contínua con Jenkins
Integración contínua con JenkinsIntegración contínua con Jenkins
Integración contínua con Jenkins
 
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
(SEC405) Enterprise Cloud Security via DevSecOps | AWS re:Invent 2014
 
OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!OWASP WTE - Now in the Cloud!
OWASP WTE - Now in the Cloud!
 
New Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application SecurityNew Farming Methods in the Epistemological Wasteland of Application Security
New Farming Methods in the Epistemological Wasteland of Application Security
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
DevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to SecurityDevSecOps: Taking a DevOps Approach to Security
DevSecOps: Taking a DevOps Approach to Security
 
Continuous Security Testing - DevSecCon
Continuous Security Testing - DevSecConContinuous Security Testing - DevSecCon
Continuous Security Testing - DevSecCon
 
The Journey to DevSecOps
The Journey to DevSecOpsThe Journey to DevSecOps
The Journey to DevSecOps
 
DevOps & Security: Here & Now
DevOps & Security: Here & NowDevOps & Security: Here & Now
DevOps & Security: Here & Now
 
Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014Continuous Security Testing with Devops - OWASP EU 2014
Continuous Security Testing with Devops - OWASP EU 2014
 
Matt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one everMatt carroll - "Security patching system packages is fun" said no-one ever
Matt carroll - "Security patching system packages is fun" said no-one ever
 

Mehr von gmaran23

First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017gmaran23
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...gmaran23
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...gmaran23
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...gmaran23
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016gmaran23
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016gmaran23
 
Performance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh SharmaPerformance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh Sharmagmaran23
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...gmaran23
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...gmaran23
 
What Can I Learn From You?
What Can I Learn From You?What Can I Learn From You?
What Can I Learn From You?gmaran23
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015gmaran23
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014gmaran23
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore developmentgmaran23
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defencesgmaran23
 
Devouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and PreventionDevouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and Preventiongmaran23
 

Mehr von gmaran23 (16)

First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017First Software Security Netherlands Meet Up - Delft - 18 May 2017
First Software Security Netherlands Meet Up - Delft - 18 May 2017
 
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
N Different Strategies to Automate OWASP ZAP - Cybersecurity WithTheBest - Oc...
 
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
N Different Strategies to Automate OWASP ZAP - OWASP APPSec BUCHAREST - Oct 1...
 
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
What is new in OWASP Top 10 2017 (RC) - Prowareness Tech Talk Tuesdays - 20 J...
 
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
The Impact of Culture on Distributed Agile - DiscussAgile - May 07 2016
 
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
Prioritizing Portfolio Backlog to Maximize Value Steve Mayner Agile Asia 2016
 
Performance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh SharmaPerformance Appraisals in Agile Environment Nagesh Sharma
Performance Appraisals in Agile Environment Nagesh Sharma
 
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
Automating Web Application Security Testing With OWASP ZAP DOT NET API - Tech...
 
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
How to Kick Start a New Scrum Team - Agility and HR at Delft Netherlands 21 J...
 
What Can I Learn From You?
What Can I Learn From You?What Can I Learn From You?
What Can I Learn From You?
 
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
Beefing Up Security In ASP.NET Dot Net Bangalore 3rd meet up on May 16 2015
 
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
OWASP Zed Attack Proxy Demonstration - OWASP Bangalore Nov 22 2014
 
Six steps for securing offshore development
Six steps for securing offshore developmentSix steps for securing offshore development
Six steps for securing offshore development
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Devouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and DefencesDevouring Security XML Attack surface and Defences
Devouring Security XML Attack surface and Defences
 
Devouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and PreventionDevouring Security Sqli Exploitation and Prevention
Devouring Security Sqli Exploitation and Prevention
 

Kürzlich hochgeladen

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...gurkirankumar98700
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 

Kürzlich hochgeladen (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
Kalyanpur ) Call Girls in Lucknow Finest Escorts Service 🍸 8923113531 🎰 Avail...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 

Automating Web Application Security Testing With OWASP ZAP DOT NET API - Dot Net Bangalore Nov 28 2015 Marudhamaran Gunasekaran

  • 1. The OWASP Foundation http://www.owasp.org Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. Dot Net Bangalore Bangalore 28 Nov 2015 Automating Web Application Security Testing with OWASP ZAP DOT NET API The OWASP Zed Attack Proxy https://vimeo.com/gmaran23/AutomatingWebApplicationSecurityWithOWASPZAPDOTNETAPI2 Marudhamaran Gunasekaran Zap Contributor @gmaran23
  • 2. 2 Prelude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
  • 3. 3 Agenda • Application Security Program Challenges • Why OWASP ZAP? • Earlier episodes on Dot Net Security and OWASP ZAP • ZAP – Operating Modes • • •
  • 4. 4 The problems • Most developers know very little about security • Most companies have very few application security folks • External consultants cost $$$$$ • Security testing is done late in the application development lifecycle (it at all is done)
  • 5. 5 Part of the Solution • Use a security tool like ZAP in development • In addition to security training, secure development lifecycle, threat modelling, static source code analysis, secure code reviews, professional pentesting…
  • 6. 6 Why ZAP? •An easy to use webapp pentest tool •Completely free and open source •Source code updated almost every day •One of the OWASP Flagship projects •Ideal for beginners, But also used by professionals • •Powerful API - for automated security tests
  • 7. 7 The app sec foundations • Vulnerability Analysis – Look for weak spots • Penetration Testing – Exploit the weaknesses • Security Testing – May involve both or just VA
  • 8. 8 The app sec tool foundations • Spider or Crawler – Gather information about what to attack • Passive Scan – Static analysis on the gathered information (HTTP requests and responses) • Active Scan – Send attack (potentially harmful) payloads to exploit / confirm weakness
  • 9. 9 The app sec tool foundations • Download OWASP ZAP https://www.owasp.org/index.php/OWASP_Zed_Attack_Prox
  • 11. 11 Introducing the OWASP ZAP DOT NET API https://www.nuget.org/packages/OWASPZAPDotNetAPI/
  • 12. 12 OWASP ZAP DOT NET API Source Code and Sampleshttps://github.com/zaproxy/zap-api-dotnet
  • 13. 13 Automating authenticated scans 1. Create a context in the name of the application 2. Choose the mode of authentication (for instance Forms Authentication) 3. Provide Authentication information 4. Spider 5. Scan 6. Verify 7. Fix
  • 16. ZAP – Need Help? ZAP user group - https://groups.google.com/forum/#!forum/zaproxy-users ZAP Evangelists - https://github.com/zaproxy/zaproxy/wiki/ZapEvangelists ZAP Developers group - https://groups.google.com/forum/#!forum/zaproxy-develo
  • 17. ZAP - Get Involved Use the tool Recommend Write Add-ons Write Scanners / Scripts Report bugs
  • 18. Conclusion • Consider security at all stages of development cycle • OWASP ZAP is ideal for automating security tests • It is also a great way to learn about security “Man is a tool-using animal. Without tools he is nothing, with “right set of” tools he is all”
  • 20. 20 Postlude • This talk adds up on the previous talks in Dot Net Bangalore. If you are new to OWASP ZAP – watch these first (use QR code to scan the urls) • Practical Security Testing For Developers Using OWASP ZAP - http://wp.me/p323iP-fO • OWASP ZAP Demonstration – http://wp.me/p323iP-fV • Dot Net Web Application Security http://wp.me/p323iP-fS http://wp.me/p323iP-ib
  • 21. 21 Postlude - Extended • OWASP App sec tutorial series https://www.youtube.com/user/AppsecTutorialSeries • OWASP ZAP – Ajax Spidering with Authentication http://wp.me/p323iP-en • Cross Site Scripting [XSS] http://wp.me/p323iP-es • XML – Attack surface and Defenses http://wp.me/p323iP-cU • Sql injection exploitation and prevention part 1 http://wp.me/p323iP-bi • Sql injection exploitation and prevention part 2 http://wp.me/p323iP-by