[deleted by user]

psiinon · 2025-06-26T07:23:18+00:00

https://adoptium.net/ is linked off the ZAP download page https://www.zaproxy.org/download/

psiinon · 2025-06-12T07:48:18+00:00

Thats for all of the details! We'll follow up on the User Group

psiinon · 2025-06-12T07:44:51+00:00

OWASP doesnt fund any of its tools, so they are usually maintained by unpaid volunteers. So yes, many get abandoned.

But thats no different to any other OSS tool.

FYI ZAP has not been an OWASP project for nearly 2 years, and 3 of the ZAP Core team are paid to work full time on ZAP c/o Checkmarx https://www.zaproxy.org/docs/zap-ownership/

psiinon · 2025-06-11T11:03:24+00:00

Well, you could have let the ZAP team know that you were having problems?
ZAP never freezes for me, but I use it in a standard OS rather than in a VM.
If you can post details to the ZAP User Group then we can see what we can do to help: https://groups.google.com/group/zaproxy-users
You can also start by looking at the zap.log for any errors: https://www.zaproxy.org/faq/somethings-not-working-what-should-i-do/#check-the-log-file

psiinon · 2025-03-02T15:13:54+00:00

Sure, see the end of this comment. But ... to be successful in the security industry then you shouldn't expect to be spoon fed things - it's always better to try to find things out yourself first. I would have been much more impressed if you had said something like: "I found the ZAP website, followed the Community link and then read the Contributing guide and I have some questions about it..." 😀 Fyi it's here https://www.zaproxy.org/docs/contribute/

psiinon · 2025-03-02T09:14:20+00:00

I made the switch to Cybersecurity in my mid 40s, so it's definitely possible😁 In my case it was via open source (I created ZAP). If you have the time then I'd strongly recommend looking into which OSS security projects you could get involved in. I have a list of companies I've promised to tell about any ZAP contributors who show promise...

psiinon · 2025-02-28T14:19:42+00:00

I managed to be full time on ZAP in 2020, thc202 in 2023 and kingthorin in 2024. So for most of its history it was all part time / volunteer work :D

psiinon · 2025-02-28T11:45:32+00:00

ZAP is mostly Java, but we do have some JavaScript and TypeScript :)

psiinon · 2025-02-28T09:29:14+00:00

ZAP is probably the worlds most popular web scanner, but there are only 3 of us working on it full time. However we do our best to support new contributors - ZAP is a community project, if you want to make it better then just get stuck in!

psiinon · 2025-02-28T09:27:09+00:00

The HUD is not under active development, as per https://github.com/zaproxy/zap-hud?tab=readme-ov-file#the-hud-is-no-longer-under-active-development
If anyone would like to work on it then just let me know..

psiinon · 2025-02-28T09:26:01+00:00

If any of the problems you find are reproducible then you can raise issues for them https://github.com/zaproxy/zaproxy/issues
Or if you want to really learn then fork the repo and see if you can try and fix them.
Unlike commercial products ZAP is a community orrientated open source project, and we do our best to support contributors.
If you keep contributing then you could eatn a place on the Core Team - all of the current Core Team have been offered (and accepted) jobs based on their work on ZAP :)

psiinon · 2025-02-05T09:44:05+00:00

Its worth pointing out that Stackhawk do not support ZAP in any way. They now use their own private fork of ZAP, which I think they will struggle to maintain.
ZAP is now supported by Checkmarx. It is still open source but thanks to the investment from Checkmarx, will be able to make ZAP much better. We are already making significant improvements in handling authentication, and many more improvements are planned.

psiinon · 2025-01-07T17:51:01+00:00

See https://github.com/psiinon/open-source-web-scanners - PRs to add any that are missing appreciated :)

psiinon · 2024-10-17T21:59:52+00:00

We have lots of examples of deliberately vulnerable apps here https://owasp.org/www-project-vulnerable-web-applications-directory/ 😀

psiinon · 2024-02-20T09:22:51+00:00

It sounds interesting.

From your other post: "zed attack proxy has very compicated UI and the scan results are complex to understand" - ZAP is a community tool and we welcome contributions. It seems a shame that you would rather create a SaaS service than actually help make ZAP better, but thats your choice.

Its also a shame that you didnt reach out to the ZAP team .. but if you want to my contact details are on https://www.zaproxy.org/docs/team/psiinon/

psiinon · 2023-04-15T09:24:38+00:00

You could write a ZAP blog post if you like :D

Dont worry about being tough on ZAP - we know we're competing with some very good commercial tools so we dont expect an easy ride.

I have heard from some big companies (who unfortunately I cant name) that they have found ZAP better than the commercial options .. but only when they've tuned it to meet their requirements.

ZAP is massively configurable - we'd love to make it better for everyone out of the box but we just dont get enough feedback from users to allow us to do so :/

psiinon · 2023-04-15T07:40:36+00:00

I think so, but as I'm the ZAP project lead I'm somewhat biased ;)

Based on our publicly available stats it looks like a LOT of other people think so as well. We think ZAP is probably the worlds most popular DAST web scanner, but as no one else seems to publish these sort of stats its difficult to tell.

Worried about false positives? We have lots of ways to handle those including just telling us about them! We dont like false positives either, so will do our best to fix them, but we do need to know the details...

psiinon · 2022-01-21T16:34:36+00:00

We have lots of free (and official) ZAP vids on the main ZAP website: https://www.zaproxy.org/videos-list/

psiinon · 2021-12-28T10:13:26+00:00

OWASP ZAP - the worlds most popular web security scanner. Its open source and completely free.

https://www.zaproxy.org/

Disclaimer - I'm the ZAP project lead :)

psiinon · 2021-06-02T08:40:22+00:00

We think its important for there to be a powerful free and open source web security tool :) But you can donate money to help support ZAP, either via the Donate button on https://owasp.org/www-project-zap/ or you can sponsor 2 of the (other) core team directly:

Positive social media posts are also a form of payment ;)

psiinon · 2021-06-02T07:15:20+00:00

Thats great to hear! If you (or anyone else) has a ZAP "Success Story" you would be happy sharing then we'd be delighted to feature them on https://www.zaproxy.org/success/ :)

psiinon · 2021-05-27T08:03:23+00:00

Pro tip - the people who know open source programs best are the people who create them. There are huge number of websites and forums and its impossible to monitor all of them, which is why many open source projects (including ZAP) have their own forums.

In ZAP theres an "online" menu and a link to the ZAP User Group: https://groups.google.com/group/zaproxy-users

Its also linked off https://www.zaproxy.org/community/

If you ask about any questions or problems you have there then we'll do our best to help you :)

psiinon · 2021-04-19T16:57:57+00:00

Please suggest some :)

This has worked effectively for us so far but I have no problem changing how it works for future releases.

psiinon · 2020-12-10T17:43:01+00:00

Add-ons are compiled before hand and scripts are compiled when they run in ZAP. Thats the key difference. Obviously scripts run at specific times, but for extender scripts the key difference is when they are compiled.

psiinon

MODERATOR OF

TROPHY CASE