ZAP security tool is very time consuming - security

I have run ZAP security tool for Test .net MVC application, ZAP tool takes too much time to run script and sometimes tool not responding well. Is there any other tool which gives me accurate results like zap?
Thanks.

Have you seen this blog post about speeding up ZAP scans: https://github.com/zaproxy/zaproxy/wiki/FAQscanSpeed
You can also ask specific questions on the ZAP User Group: http://groups.google.com/group/zaproxy-users
We'll do our best to help, but its difficult unless we have some more info ;)
Simon (ZAP Project Lead)

Related

How to learn Netsuite SuiteScript

I have worked on Net-suite Suite Talk web services.Now i want some customization on my account using suite script.
I am adding checks to Net suite and check have some items.I want to add those items to deposit section.
user will select the check from drop down on Deposit page.
List of item will be displayed and user can check those to upload to deposit section.
How can i do that and how can i learn suite script to complete this task?
Thanks in advance.
HItesh Kumar
The best way to learn it is to RTFM. Although the SuiteAnswers documentation is far from being the best, it is a good place to start. After that, read the API file & get to know the API. Once you have a good, practical understanding of the APIs, then work with the code in the debugger.
Aside from that, you would need to add your current code in your questions, and the errors that you are receiving.
Those could be useful however if you try to learn SuiteScript 2.0 which I recommend because SuiteScript 1.0 will no be longer supported, then the API Doc is not very useful because the examples are very short and even with errors.
The best resource I found so far is:
https://stoic.software
Very professional guy with good knowledge, expertise and good prices.

I'm Unable to spider the web page after form-based authentication using Zap-Cli

I'm using Zap-Cli, a command line tool for Owasp ZAP. I'm successful in creating a context for the web page but unable to spider the web page after authentication. It's being done with the GUI tool, but me and my team are working on automating the process from command line. We are stuck at this point. Providing some important links for your convenience.
https://github.com/Grunny/zap-cli
https://gist.github.com/kvkvenugopal/1428626e0201a746e390e03880356376
Waiting for help/suggestions. We are trying for 2 weeks now. Everything upto this point is working from the command line. We are able to open the URL, and create a context for authentication. After this point, if we are running spider from the GUI then it is working, but not from the command line.
If required, kindly ask for further details. My team thinks there's some issue with the current ZAP API which is not allowing for spider after authentication from command line.
Any expert suggestion/advice will be helpful.
Thank You.
The ZAP API does support authentication, but you'll need to set it up as per https://github.com/zaproxy/zaproxy/wiki/FAQformauth
I'm afraid I dont know if the Zap-Cli supports this - have you raised an issue on that tool?
Simon (ZAP Project Lead)

Is there a web app security auditing tool that produces reports showing what attack types were tested for?

I want to generate a basic report from testing, I would like the testing to cover the OWASP top 10. I have looked at OWASP ZAP reporting but this just highlights any issues as opposed to saying XY and Z were tested for with no evidence of them occurring along with detailing the issues found.
This is not a question on how to test a web-application. The question is: Are there any tools that will generate reports specifying what was tested for along with vulnerabilities?
You can see what ZAP is testing for by selecting Analyse... / Scan Policy
We're also starting to document the rules under here https://code.google.com/p/zap-extensions/wiki/V2Extensions (look at the items under the tree on the left).
Note that no tool will be able to automatically test for all of the OWASP Top ten - you will really need to perform manual testing as well.
The ZAP reporting does need to be improved, and I'd like it to include a list of what was tested as well as what was found. ZAP is a community project - fancy working on this? ;)
Simon (ZAP project lead)

Is there a web app that helps with a web dev checklist?

I was wondering if there is a website that helps with giving you a checklist for your web app, to make sure you don't miss anything!! It could be very tedious when building a large project by yourself! obviously nothing specific, just a guideline for a web app. thanks
This doesn't necessarily work for all projects, but it's a great start!
http://launchlist.net/
In light of your comment below, I recommend
http://goplanapp.net
it's free and open-source and allows you to create project milestones, have ongoing discussions on various issues, and alot more.
Trac is a website driven software that allows you to set milestones, reports, svn browsing, priorities, bug tracking, and wiki's. A lot of active open source projects use it to host their software. I use it extensively for each client project I start.
I like http://kanbanery.com/ alot.
It allows you to have tasks with subtasks, add info, attachments, comments, etc to a task and you can arrange those in multiple columns.
(I know it is targeted at scrum / kanban teams, but the app can be tailored to make it fit for your workflow)

What is the profile of a SharePoint developer

I have a development team specialized in ASP.NET. So the solutions we provide are web based, running on IIS and using MS SQL server. Everything within the intranet of the company. The team has this expertise, and they are excellent in C#, and .Net in general.
The company is deploying SharePoint MOSS 2007. This deployment is part of a project that I am not involved in, and for which I have very little information. However I know that they have established the "thinkers" layer (those who will say what to do), the integrations layer (the who will configure, deploy and manage the production), and that they need to establish the so called development layer (those who will do things the other two can't).
I am asked to evaluate the possibility to increase my team's expertise by adding SharePoint development. This is the easy part, I just have to find the required training and send my people.
However these days the word development could mean a lot of things and sometimes I discover that configuration is used in place of development.
I don't have any objections to evolve the team by developing new expertise, but I want to be sure to keep things stimulating for my developers.
Secondly I don't want to say that we have SharePoint development expertise, and actually what we do is just modifying css or xml files. Also, I don't think that using wizards to produce a solution is the best path to push a C# developer to follow.
The questions I am asking myself first is : what is the background of a SharePoint developer? how could .Net developers feel if asked to become SharePoint developers?
Any thoughts will be greatly appreciated.
I started in Sharepoint development over a year ago when I inherited a WSS 3.0 solution at my company.
Personally I think it was a great step for me getting to know Sharepoint development a little, there are a lot of problems (e.g. security, load – balance, ghosting) that was good to see how was solved by the WSS team and helps me solve problems in other solutions I‘m working on. But I don‘t work on WSS solutions full time, so others have to anwer how it is working with WSS every day.
WSS and Sharepoint are an extension on the ASP.NET platform, so any experience in ASP.NET and .NET in general should be a good foundation for a developer that is starting creating Sharepoint solutions. I read the Inside Microsoft Windows Sharepoint Services 3.0 book in order to get the basic concepts and wss solution architecuture before I started working on WSS projects.
I quickly found out that you have to have a Virtual Machine environment for Sharepoint development, this is because it‘s a pain working on a client and attaching to a remote process on the server to get in debug mode. Therefore I recommend creating a MOSS virtual machine that has Visual Studio installed that has access to your source control system. Develop solutions on that machine and when finished then check into source control.
I also recommend looking at development tools, such as stsdev and wspbuilder to help you building your solution, these will ease you development process quite a bit. There are also quite a lot of tools available on the web, e.g. codeplex to help you out.
Sometimes it can be a pain developing these solutions, changes can require recycling the IIS pool or a brute-force IISReset, error messages can sometimes by a little cryptic and so on. But you quickly catch on and know where to look. Sharepoint also helps you out a lot, I‘ve had millions of questions from clients that can be solved with standard out-of the box web parts, so that I don‘t have to code anhything to keep my clients happy :)
Sharepoint also expects solutions to be coded in certain way, e.g. 12 hive filestructure so it helps you standardizing your solutions.
There is a serious lack of documentation, so that you have to rely on Reflector and such tools a lot, just to know what is happening within the framework, hopefully this gets better with 2010.
The initial learning curve is high, and a lot of new concepts an technologies to learn ,e.g. Workflows within sharepoint, featuers, ghosting and code access security
There is a lot of Xml configuration that sharepoint uses that developers have to learn, this includes the site definition, list templates and more. There are sometimes days when I‘m stuck in Xml edit mode and can‘t figure out why things don‘t work as they should do
These are just few of my thought, I‘ve been working mainly in WSS development and it would be great if someone could comment regarding web part configuration in Sharepoint, e.g. configuring the search. Which is something I haven‘t been doing a lot of.
From what I have heard around, the SharePoint is a popular technology from the customer point of view, but an object of hatred among developers.
Nice to see you noted Dev and Admin being used "incorrectly".
Although Developing for SharePoint could be purely that, development, like creating webparts etc., I strongly encourage you and your team to get to grips with SharePoint deployment, installation and configuration as well. I am fully SharePoint Certified (WSS Config/Dev and MOSS Config/Dev) and having knowledge of both ends has been invaluable for me.
Knowing what is configured where will help in debugging and troubleshooting along the way. I suggest taking an MCTS WSS 3.0 COnfiguration training / and or a MOSS Config training for at least 1 or 2 of your team. The rest of the team will pick up the essentials as they go along, having those 2 certified colleagues as go to guys concerning config and admin.
IMHO, being a sharepoint consultant entails knowing how to create a piece of functionality as a dev and then being able to deploy, configure and maintain that piece of functionality as an admin (or at least an informed end/power user).
Albert, take a look at this other thread titled Is a sharepoint developer technically “equipped” to do custom app dev and vise-versa. There's quite a bit of info in there about what's involved in making the leap from pure .NET to SharePoint.
My co-worker is studying SharePoint at the moment. Making fun of him all the time. Frequently he gabbles something like "wtf is that??!!". And then i feel a bit sad, because i know - there's a probability that i'll have to learn that stuff too (i guess it's not so easy to get projects nowadays).
I see it more as configuration and customization than software development (something like hunting down fing checkbox for 3 days in a row). You pick up some clay through those crazy sharepoint designers and then endlessly customize it.
For everything i know already - there's a new name (i.e. - spGridView) and unexpected behavior underneath.
Html that gets rendered is bizzare (tables and bunch of serialized viewstate everywhere).
But those configuration xml`s... o_0
Now that's a hurdle i can't get over. Even hardcore SQL stuff starts to seem like a childish game.
Maybe i'm wrong, but as i have heard - Microsoft developed 'spatial columns' (let's you expand count of columns for tables over thousandsomething) for sql mainly because of Sharepoint. That terrifies me.
Of course - my opinion is HIGHLY subjective and a bit offensive. But i hope that helps to better reveal what i think & feel about Sharepoint.
Hopefully developers you are working with sees this different.
In short:
No. I wouldn't like to become a sharepoint developer.
Edit:
I could handle that initial complexity. But the main reason i don't want to - i don't think that development in Sharepoint is the right way to go. I mean - lately people discuss that webforms provides too much abstraction. Then what to say about Sharepoint?
To be a successful SharePoint developer you must have a high threshold for pain and the patience of a Buddha.
thank you all for the answers, they are all really helpful.
from what I read here, I see two things to consider.
First is the context of utilization which I think is an important factor. In some places SharePoint "development" could go very far, and could involve developing really exciting things, in order to satisfy new customers' needs. it could involve writing code and so on. And in some other places it could be just administration and configuration, in order to maintain already established solutions.
Secondly is the personal motivation. It really depends on the person. Some .Net developers with good experience, will prefer not to go in a direction, where they will not code the "SharePoint way", and will like to write code in C# or some other languages. However there will be others that will choose this path and will be happy to have such careers. They will be motivated and thus propose really nice solutions.
For example, from my personal perspective and if I had stayed in development and programming, I would not choose SharePoint development using high level wizards and menus,as a progress path for my career. Even though I am not doing it these days, I still enjoy coding, compiling, debugging etc, but this is just me.

Resources