I was really lucky recently to get some training with Bill Matthews to get me started in security testing. Before the training we wanted to get to grips with ZAP a bit more. We started with a series on YouTube by Simon Bennetts.
Being honest we struggled a bit to set it up following the tutorials. Perhaps this was due to our set up in work. We split up the problems and spent a lot of time on Google (and swearing) trying to figure them out.
One thing we noticed when we searched was a lack of video tutorials for ZAP. Were we looking in the wrong places? How did you get started with ZAP?
Been starting to use ZAP myself for my role here. Have also found it difficult to get good material for it. The video by Simon was the best I found also.
Luckily enough though, managed to get it working fairly well here, set up was grand, as we don’t have too many restrictions in terms of network set up. Still haven’t really explored all the functionality in the tool, again, it’s because of lack of decent material out there. If you do need some help @heather_reid let’s know and I can try to help.
Have also been trying to get it to run with selenium, which it is possible, but again, lack of tutorials available online has made this very hard.
Thank you I’m really lucky that the training with Bill came with post support which is cool.
I’m managing reasonably OK (I think) with it so far but I know there’s so much more can be done with it. Didn’t know about the selenium running though. What would you be looking to achieve with that?
No bother, could probably use some of that training myself to be honest!
Yeah its a nice tool, so much in there. From my understanding, you can launch the attack’s or the spiders etc. from selenium to run on a target webpage, record and present the results back via a HTML report. What I’m hoping to use that for is to have some security checks built into our regression checks, to give a little more piece of mind. And also build them into any smoke tests to get early site of any potential security issues.
And possibly in the future have it set up to run for a CI style environment. I know there is a Jenkins plug in, but want to see if we can get it set up without that dependency.
I’ve got extensive experience with ZAP and BurpSuite. I’ve been looking at ways to get this knowledge out into the community. Videos are one thing, but practical experience is another.
It’s something I cover in my workshops, but not in great depth. Do you think there is scope for a full on proxy workshop. I ran a half day at TestBash 2016 but there was so much more to cover.
I’d say definitely. The huge wall for us was being terrified of breaking the application or doing something wrong. It needs hand holding early on to an extent I think.
I’m really lucky that the training with Bill came with post support which is cool.