Bhushan Gupta, Gupta Consulting LLC.
Testing web application security is reading a hacker’s mind, knowing vulnerability trends, understanding how to build and test security from inside out and testing it systematically from a hacker’s perspective. Web application security testing can become a long drawn out process ending into fuzzy confidence in your application. Fortunately, there are tools such as Zed Attack Proxy (ZAP), Burp Suite, Static Code Analyzer to name a few, that you can deploy and get a head start on guiding your testing to yield improved results. These tools can be configured to your environment and the goals you want to achieve.
This workshop is focused on scanning tools ZAP and Burp Suite. The main focus of the workshop is on understanding ZAP capabilities, configuring its environment, running ZAP, and interpreting the results. The participants will learn how to guide the testing activities once the results from ZAP have been analyzed and a preliminary assessment of the vulnerabilities is established. The workshop discussion will also include how to proxy through ZAP. A comparison between ZAP and Burp Suite will also be presented to better understand which tool best serves your environment and meets your objectives. Another manual technique known as “Attack Surface Analysis” will be discussed to quantify attack surface index which can be easily adopted in an agile development. The workshop will include highlights of the tool Veracode Static Code Analysis. Upon completion of this workshop, a participant will confidently be able to utilize ZAP and will be capable of deciding which tools can best serve his/her security testing needs.
When the workshop is completed, the attendees will be able to:
- Understand general capabilities of a web scanner
- How to configure ZAP environment
- Generic and advanced use of ZAP
- Analysis of ZAP results
- Basic understanding of Burp Suite and Veracode