Security/Training/2015 Whistler ZAP security course

From MozillaWiki

< Security‎ | Training

Jump to: navigation, search

This 4 part course will be run on Wednesday 24th June at the Whistler Coincidental Work Week.

Contents

1 Session 1: The security issues that most impact Mozilla websites
2 Session 2: Manual ZAP testing
3 Session 3: Automated ZAP testing
4 Session 4: ZAP Scripting
5 OWASP Zed Attack Proxy
6 Course requirements

Session 1: The security issues that most impact Mozilla websites

This will be an informational session based on bugzilla / bug bounty metrics etc. led by Yvan Boily.

It is suitable for all employees.

See this session on Sched

Session 2: Manual ZAP testing

This is a training session on the OWASP Zed Attack Proxy (aka ZAP) led by the ZAP project leader and Mozilla employee Simon Bennetts.

It will be a hands on session covering:

Proxying / intercepting
Scanning and spidering
Contexts, authentication etc

It is primarily aimed at QA staff but is also suitable for developers. No security experience is assumed.

Attendees _must_ set up their laptops with the software specified below.

See this session on Sched

Session 3: Automated ZAP testing

This is a hands on session covering the use of the ZAP AI for the features introduced in the previous session.

Attendees must have attended the previous session.

See this session on Sched

Session 4: ZAP Scripting

This is a hands on session covering:

Reproducing vulnerabilities using Zest
Handling 'non trivial' authentication, data formats etc

Attendees must have attended the previous session.

See this session on Sched

OWASP Zed Attack Proxy

OWASP ZAP is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

Course requirements

In order to take part in the ZAP training sessions (all of the sessions apart from the first one) attendees should set up the following software on their laptops.

If you have any problems setting up any of this software then please contact Simon Bennetts asap.

Java 7

This can be downloaded from: http://www.oracle.com/technetwork/java/javase/downloads/jre7-downloads-1880261.html

OWASP ZAP

This can be downloaded from https://github.com/zaproxy/zaproxy/wiki/Downloads?tm=2

The only dependency ZAP has in Java 7.

Tomcat

This can be downloaded from https://tomcat.apache.org/download-70.cgi

The only dependency Tomcat has in Java 7.

The Bodgeit Store

This can be downloaded from https://code.google.com/p/bodgeit/downloads/list

The war file should be extracted from the zip and put in the Tomcat webapps directory.

Retrieved from "https://wiki.mozilla.org/index.php?title=Security/Training/2015_Whistler_ZAP_security_course&oldid=1080372"