WEBVTT 00:00.480 --> 00:01.880 Hello everyone and welcome. 00:01.880 --> 00:08.720 In this video we will go over Zap proxy, which is a tool that is used to do advanced web security scanning. 00:08.720 --> 00:11.520 For that, let's go through this documentation. 00:11.520 --> 00:13.920 I haven't created any slide as such. 00:14.120 --> 00:19.400 This document is very well written, so I'll walk you through the documentation about some of the basics 00:19.400 --> 00:23.080 of security testing and also what the tool does. 00:23.440 --> 00:29.680 So in this particular section it shows the overview of the tool which is Zap proxy. 00:30.120 --> 00:34.080 Zap proxy is used to perform security testing. 00:34.280 --> 00:39.360 Even if you don't have a background security testing that should not matter. 00:39.360 --> 00:43.200 It would guide you effectively through how the tool works. 00:43.720 --> 00:45.760 Some of the basics and security testing. 00:45.760 --> 00:53.480 Software security testing is the process of assessing testing a system to discover security risk and 00:53.480 --> 00:56.160 the vulnerability of the system and its data. 00:57.360 --> 01:00.360 It is broadly categorized into four categories. 01:00.360 --> 01:05.960 Vulnerability assessment the system is scanned and analyzed for security issues. 01:06.560 --> 01:12.640 Penetration testing system undergoes analysis and attack for simulated malicious attackers. 01:13.080 --> 01:20.800 Runtime testing system undergoes analysis and security testing and code review system code undergoes 01:20.840 --> 01:26.400 a detailed review and analysis looking specifically for security vulnerability. 01:26.760 --> 01:32.960 Little bit more about penetration testing is that it is carried out as if tester was malicious, with 01:32.960 --> 01:40.080 a goal of breaking into the system, either stealing data or carrying out some sort of denial of service 01:40.080 --> 01:40.640 attack. 01:41.280 --> 01:46.640 Pentesting has an advantage of being accurate because it has fewer false positives. 01:47.040 --> 01:54.680 Pentesting is also used to test defense mechanism, verify response plans and security policy adherence. 01:55.040 --> 01:57.920 So how does the pen testing process look like? 01:58.400 --> 02:01.360 It is broadly categorized into three steps. 02:01.720 --> 02:05.840 First, it explores the tester attempts to learn about the system being tested. 02:06.360 --> 02:13.680 It includes trying to determine what software it uses, what endpoints, patches, etc. and then it 02:13.680 --> 02:20.480 includes searching the site of hidden content, vulnerabilities and other indications of weakness. 02:20.720 --> 02:22.640 Then it plans the attack. 02:22.800 --> 02:29.690 The attestor attempts to exploit the known or suspected vulnerabilities to prove they exist, and the 02:29.690 --> 02:31.930 third one is report tested. 02:31.930 --> 02:36.130 Reports back the results of their testing, including the vulnerabilities. 02:36.450 --> 02:39.970 Let's score down a little bit and understand how Zap works. 02:41.050 --> 02:46.650 The ultimate goal is to search for vulnerabilities so that these vulnerabilities can be addressed. 02:46.930 --> 02:52.930 It can also verify that a system is not vulnerable to unknown class or a specific defect. 02:53.370 --> 02:59.810 In the case of vulnerabilities and there has been reported as fixed, verify that the system is no longer 02:59.810 --> 03:01.730 vulnerable to that defect. 03:01.970 --> 03:03.170 So what is zap? 03:03.330 --> 03:06.410 Zap is Zed attack proxy by Checkmarx. 03:06.770 --> 03:12.890 It's a free, open source penetration testing tool that would expose the web security vulnerabilities, 03:13.050 --> 03:14.610 web applications. 03:14.610 --> 03:17.330 And it's both flexible and extensible. 03:17.730 --> 03:24.170 So if you notice here, it sits between a browser and the web application so that it can intercept the 03:24.170 --> 03:30.250 message and send browser and web application modify the contents if needed. 03:30.770 --> 03:34.530 Now let's go ahead and understand how Zap proxy looks like.