Blog: SSP

Signed-off-by: Simon Bennetts <[email protected]>
zaproxy · Aug 1, 2023 · 7140f3a · 7140f3a
1 parent 80a8c37
commit 7140f3a
Show file tree

Hide file tree

Showing 22 changed files with 116 additions and 35 deletions.
diff --git a/package.json b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "zaproxy-website",
   "version": "1.0.0",
-  "description": "Website for OWASP ZAP one of the world's most popular free security tools",
+  "description": "Website for ZAP one of the world's most popular free security tools",
   "repository": "zaproxy/zaproxy-website",
   "main": "index.js",
   "scripts": {

diff --git a/site/config.yaml b/site/config.yaml
@@ -1,7 +1,7 @@
 baseurl: "/"
 languageCode: "en-us"
 languageLang: "en"
-title: "OWASP ZAP"
+title: "ZAP"
 enableEmoji: true
 summaryLength: 48
 disableHugoGeneratorInject: true

diff --git a/...t/blog/2023-08-01-zap-is-joining-the-software-security-project/images/0-ssp.png b/...t/blog/2023-08-01-zap-is-joining-the-software-security-project/images/0-ssp.png
diff --git a/...ent/blog/2023-08-01-zap-is-joining-the-software-security-project/images/ssp.png b/...ent/blog/2023-08-01-zap-is-joining-the-software-security-project/images/ssp.png
diff --git a/site/content/blog/2023-08-01-zap-is-joining-the-software-security-project/index.md b/site/content/blog/2023-08-01-zap-is-joining-the-software-security-project/index.md
@@ -0,0 +1,84 @@
+---
+title: "ZAP is Joining the Software Security Project"
+summary: "I’m delighted to announce that ZAP is joining the new [Software Security Project](https://softwaresecurityproject.org/) (SSP) as one of the founding projects. This does however mean we are leaving OWASP."
+images:
+- https://www.zaproxy.org/blog/2023-08-01-zap-is-joining-the-software-security-project/images/ssp.png
+type: post
+tags:
+- blog
+- release
+date: "2023-08-01"
+authors:
+    - simon
+---
+I’m delighted to announce that ZAP is joining the new [Software Security Project](https://softwaresecurityproject.org/) (SSP) as one of the founding projects.
+
+![Software Security Project Logo](images/ssp.png)
+
+The SSP, is a brand new initiative of the Linux Foundation. It's so new in fact that we don't yet have a formal charter and governance in place, but we are excited to be part of the process of defining it all with our community. We know we are aligned with the goals and the planned governance.
+
+The SSP is explicitly set up to support key open source security projects, and as a result is now supporting both myself and 
+[Ricardo](/docs/team/thc202/) to work full time on ZAP. The plan is to employ more people to work full time on ZAP as and when we can.
+
+We encourage all of you who use ZAP to consider joining SSP in order to help fund ZAP and other important Open Source security projects.
+
+### Farewell to OWASP
+
+ZAP can only be in one foundation, so regretfully ZAP will be leaving OWASP.
+
+I applied for ZAP to be accepted to OWASP shortly after launching it in 2010 and I have never regretted that decision.
+
+As an OWASP project, ZAP has greatly benefited from the exposure, significantly increasing the likelihood of people trying it out.
+An unexpected invitation to present ZAP at [OWASP AppSec Ireland in 2012](https://owasp.blogspot.com/2012/08/appsec-ireland-2012-register-now.html) was a major boost, and since then OWASP Conferences and Chapters all over the world have really helped spread the word about ZAP.
+
+Unfortunately OWASP has struggled to support and invest in projects, especially big projects.
+
+ZAP is a big project. It has grown into the world’s most popular web scanner and directly competes with commercial projects that have huge investments. We need much more investment in order to thrive, investment that SSP is committed to raising.
+
+This move should not come as a surprise to anyone active in OWASP.
+
+We actually first floated the idea of leaving OWASP [back in 2015](https://groups.google.com/g/zaproxy-develop/c/HFbQZ6ETljY/m/bXMFCJ59BwAJ).
+
+I reiterated these concerns in my [Global AppSec Keynote](https://www.youtube.com/watch?v=t77aKVJQKzY) in 2022 and the ZAP team were some of the first signatories to the [Open Letter to the OWASP Board](https://owasp-change.github.io/) in Feb 2023.
+
+We are working with OWASP to make sure this transition is as smooth as possible. The ZAP Team believes that OWASP is a very positive force in this industry. We will continue to contribute to OWASP, as project leaders, and as volunteers.
+
+### What Does this Mean in Practice?
+
+This move means that we will be part of a foundation that will actively help raise more funds for ZAP and other similar projects.
+
+For the first time ever we have two people working on ZAP full-time and that will increase over time.
+
+ZAP will, of course, stay Open Source. 
+
+There will be some practical changes:
+
+#### Rebrand
+
+From now on "OWASP ZAP" will be known as just "ZAP".
+
+We have already updated the main pages of this site to reflect ZAP’s new status, but there are likely to be many more minor changes we need to make here and on other ZAP accounts.
+
+The next full ZAP release will also include UI rebranding changes - we have not decided exactly when this will be yet.
+
+#### Docker Hub
+
+The ZAP images on DockerHub are part of the OWASP organisation account. We will be moving these to a new organisation, which will mean that you will need to change the URLs you use to pull the images.
+
+We are working with OWASP to ensure that the current images are maintained for a reasonable period of time.
+
+The [GitHub Container Registry](/blog/2023-06-13-ghcr-docker-images/) images will not be affected.
+
+#### ZAP Services
+
+The [services](/faq/what-calls-home-does-zap-make/) we maintain for ZAP are currently hosted in an OWASP account. We are in the process of migrating these, and you should not experience any loss of service during this transition.
+
+### Questions or Concerns
+
+If you do have any questions or concerns then please reach out to me and/or the rest of the team, using all the usual ways: 
+
+* ZAP User Group thread (TBA - will create this once this blog post has been published)
+* [ZAP Core Team Email](mailto:[email protected])
+* [My Email](mailto:[email protected])
+* [My Twitter](https://twitter.com/psiinon) (DM's open)
+* [My LinkedIn](https://www.linkedin.com/in/psiinon/)
diff --git a/site/content/docs/burp-to-zap-feature-map.md b/site/content/docs/burp-to-zap-feature-map.md
@@ -33,8 +33,6 @@ The following significant features are available in Burp but currently not in ZA
 * HTTP Host Header manipulation
   * due to limitations in the current ZAP networking stack it was not possible to manipulate some part of the HTTP header
     * __Update:__ this is now possible programmatically but not in the desktop UI - this is being worked on so this restriction will be removed
-* HTTP/2 Support
-  * __Update:__ this is now supported in the weekly / development versions
 
 ### Burp Missing Features
 

diff --git a/site/content/docs/desktop/_index.md b/site/content/docs/desktop/_index.md
@@ -1,6 +1,6 @@
 ---
 # This page was generated from the add-on.
-title: The OWASP ZAP Desktop User Guide
+title: The ZAP Desktop User Guide
 type: userguide
 weight: 1
 cascade:
@@ -9,9 +9,9 @@ cascade:
     version: 16.0.0
 ---
 
-# OWASP ZAP Desktop User Guide
+# ZAP Desktop User Guide
 
-Welcome to the OWASP Zed Attack Proxy (ZAP) Desktop User Guide.  
+Welcome to the Zed Attack Proxy (ZAP) Desktop User Guide.  
 
 This is available both as context sensitive help within ZAP and online at
 [https://www.zaproxy.org/docs/desktop/](/docs/desktop/)
@@ -45,7 +45,6 @@ ZAP is a fork of the open source variant of the [Paros Proxy](/docs/desktop/paro
 |   |                                                                           |
 |---|---------------------------------------------------------------------------|
 |   | [Main ZAP website](/)                                                     |
-|   | [OWASP ZAP homepage](https://owasp.org/www-project-zap/)                  |
 |   | [Wikipedia entry for proxies](https://en.wikipedia.org/wiki/Proxy_server) |
 
 ## Official Videos

diff --git a/site/content/docs/docker/about.md b/site/content/docs/docker/about.md
@@ -7,7 +7,7 @@ type: docker
 ---
 
 # Introduction
-Docker image with OWASP Zed Attack Proxy preinstalled.
+Docker image with Zed Attack Proxy preinstalled.
 
 # Details
 

diff --git a/site/content/docs/team/psiinon.md b/site/content/docs/team/psiinon.md
@@ -13,7 +13,7 @@ Simon released ZAP in 2010 and has been working on it ever since.
 
 #### Sponsor
 
-Simon's work on ZAP is sponsored by [Jit](https://jit.io) where he works as a Distinguished Engineer.
+Simon's work on ZAP is supported by [The Software Security Project](https://softwaresecurityproject.org/).
 
 #### Expertise
 
@@ -43,6 +43,3 @@ All of Simon’s publicly available videos are linked off the [Videos](/videos/)
 * 2015/05/18 [FLOSS Weekly 329: OWASP ZAP](https://twit.tv/shows/floss-weekly/episodes/329)
 * 2013/02/02 [FOSDEM: Simon Bennetts: Practical Security for developers, using OWASP ZAP](https://archive.fosdem.org/2013/interviews/2013-simon-bennetts/)
 
-#### Other Work
-
-Simon is an active member of the [OWASP Project Committee](https://owasp.org/www-committee-project/).
diff --git a/site/content/docs/team/thc202.md b/site/content/docs/team/thc202.md
@@ -12,11 +12,10 @@ Ricardo started working on ZAP in 2011 and has made more PRs against the ZAP rep
 
 #### Sponsor
 
-You can sponsor Ricardo directly via his [GitHub Sponsor](https://github.com/sponsors/thc202/) page.
+Ricardo's work on ZAP is supported by [The Software Security Project](https://softwaresecurityproject.org/).
 
 He is also available for custom ZAP work.
 
-
 #### Expertise
 
 Ricardo has worked on nearly every part of the ZAP code base.

diff --git a/site/content/getting-started/index.md b/site/content/getting-started/index.md
@@ -45,7 +45,8 @@ Pentesting usually follows these stages:
 The ultimate goal of pentesting is to search for vulnerabilities so that these vulnerabilities can be addressed. It can also verify that a system is not vulnerable to a known class or specific defect; or, in the case of vulnerabilities that have been reported as fixed, verify that the system is no longer vulnerable to that defect.
 
 ### Introducing ZAP
-Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Worldwide Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
+Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of 
+The Software Security Project (SSP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
 
 At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.
 
@@ -59,7 +60,8 @@ ZAP provides functionality for a range of skill levels – from developers, to t
 
 Because ZAP is open-source, the source code can be examined to see exactly how the functionality is implemented. Anyone can volunteer to work on ZAP, fix bugs, add features, create pull requests to pull fixes into the project, and author add-ons to support specialized situations.
 
-As with most open source projects, donations are welcome to help with costs for the projects. You can find a donate button on the owasp.org page for ZAP at [https://owasp.org/www-project-zap/](https://owasp.org/www-project-zap/).
+As with most open source projects, donations are welcome to help with costs for the projects. For more details see the 
+[Sponsor](/sponsor/) page.
 
 ### Install and Configure ZAP
 ZAP has installers for Windows, Linux, and macOS. There are also Docker images available on the download site listed below.
@@ -72,7 +74,7 @@ Note that ZAP requires Java 11+ in order to run. The macOS installer includes an
 Once the installation is complete, launch ZAP and read the license terms. Click **Agree** if you accept the terms, and ZAP will finish installing, then ZAP will automatically start.
 
 ###### macOS
-OWASP ZAP is currently not a verified developer with Apple. On macOS, you will see a message like: 
+ZAP is currently not a verified developer with Apple. On macOS, you will see a message like: 
 > “OWASP ZAP.app” cannot be opened because the developer cannot be verified.
 
 To circumvent this warning, you would need to go to **System Preferences** &gt; **Security & Privacy** at the bottom of the dialog. You will see a message saying that "OWASP ZAP" was blocked. Next to it, if you trust the downloaded installer, you can click **Open anyway**.

diff --git a/site/content/sponsor.md b/site/content/sponsor.md
@@ -19,11 +19,10 @@ community of users who really care about web security.
 
 ## How to Sponsor ZAP
 
-You can sponsor the ZAP project via [OWASP](https://owasp.org/donate/?reponame=www-project-zap&title=OWASP+ZAP).
+The best way to support the ZAP project is to join [The Software Security Project](https://softwaresecurityproject.org/).
 
 You can also sponsor the following members of the Core team directly - these contributions also count as donations to the ZAP project:
 
-* [thc202](https://github.com/sponsors/thc202)
 * [kingthorin](https://github.com/sponsors/kingthorin)
 * [ricekot](https://github.com/sponsors/ricekot)
 

diff --git a/site/content/supporters.md b/site/content/supporters.md
@@ -7,4 +7,4 @@ description: Companies and organisations who have supported ZAP in a variety of
 
 For details on how to sponsor ZAP and the benefits of the different levels see the [Sponsor](/sponsor/) page.
 
-Thanks to [OWASP](https://www.owasp.org/) for the continued support along the years as the umbrella organization.
+Thanks to [OWASP](https://www.owasp.org/) for the support from 2010-2023 as the umbrella organization.
diff --git a/site/content/third-party-engagement.md b/site/content/third-party-engagement.md
@@ -7,15 +7,15 @@ __This is not a legal document, third parties are expected to perform their own
 
 * Any third party can sponsor anyone to work on ZAP
 * Third parties can promote their sponsorship of ZAP or people working on ZAP
-* Any third party can build commercial services using ZAP as long as they conform to all of the [relevant Open Source licences](https://github.com/zaproxy/zaproxy/blob/main/LEGALNOTICE.md) and do not claim that it is endorsed by the ZAP core team or OWASP
-* Any third party can rebundle and redistribute ZAP with any other components as long as they do not claim it is an “official ZAP release” or endorsed by either the ZAP core team or OWASP
+* Any third party can build commercial services using ZAP as long as they conform to all of the [relevant Open Source licences](https://github.com/zaproxy/zaproxy/blob/main/LEGALNOTICE.md) and do not claim that it is endorsed by the ZAP core team or the Software Security Project
+* Any third party can rebundle and redistribute ZAP with any other components as long as they do not claim it is an “official ZAP release” or endorsed by either the ZAP core team or the Software Security Project
 * Third parties are encouraged to be public about their use of ZAP and to contribute back fixes and enhancements
 * Third parties should not use "ZAP" or "ZAPROXY" in their product names
 * Third party specific add-ons can be added to the ZAP Marketplace as long as the add-ons are free and Open Source and it is clear who developed/supports them. Any services those add-ons connect to can be Open Source, closed source, free or commercial
 * Third party specific add-ons will not be included in the official ZAP distributions
   * Exceptions may be made by the ZAP core team, for example add-ons which connect to commonly used components like bug trackers
 * Third party specific add-ons should not be included in the ZAP code base (with the above proviso)
-* Third parties can offer free or paid-for support for ZAP as long as they do not claim that it is endorsed by the ZAP core team or OWASP
+* Third parties can offer free or paid-for support for ZAP as long as they do not claim that it is endorsed by the ZAP core team or the Software Security Project
 * ZAP communication channels cannot be used to endorse commercial products
 * Commercial products based on ZAP can be mentioned on ZAP communication channels as long as all similar commercial products are treated equally
 * Code will be merged into the code base based on its quality and suitability as decided by the ZAP core team

diff --git a/site/content/third-party-services.md b/site/content/third-party-services.md
@@ -3,7 +3,7 @@ type: page
 title: Third Party Products and Services
 layout: thirdparty
 description: Third Party Products and Services which use or integrate with ZAP.
-warning: Note that these are not endorsed by either OWASP or the ZAP team.
+warning: Note that these are not endorsed by either the Software Security Project or the ZAP team.
 desc_services_plus: Services that use ZAP, and either support ZAP or are open source.
 desc_services_minus: Services that use ZAP, but are closed source and do not support ZAP in any way. If you use these services please ask the companies behind them how they plan to support ZAP!
 desc_integrations: Products and services that can import ZAP results.

diff --git a/site/content/videos.md b/site/content/videos.md
@@ -7,7 +7,7 @@ groups:
     links:
       - name: 'ZAP Deep Dive Series'
         link: /zap-deep-dive/
-        desc: An ongoing series of longer videos about ZAP features produced in conjunction with StackHawk
+        desc: A series of longer videos about ZAP features
 
       - name: 'ZAPCon 2022'
         link: /zapcon-2022/

diff --git a/site/content/zap-deep-dive.md b/site/content/zap-deep-dive.md
@@ -67,6 +67,6 @@ links:
     uuid: 8liaCddrb8s
 ---
 A series of longer videos (~20-30 mins each) about different ZAP features produced in conjunction with [StackHawk](https://www.stackhawk.com).
-These are included in the [OWASP ZAP Tutorial videos](https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB) playlist along with older ZAP videos 
-and their own [OWASP ZAP Deep Dive](https://www.youtube.com/playlist?list=PLEBitBW-HlstiimJoOyOxunpt79q0l4Ku) playlist.
+These are included in the [ZAP Tutorial videos](https://www.youtube.com/playlist?list=PLEBitBW-Hlsv8cEIUntAO8st2UGhmrjUB) playlist along with older ZAP videos 
+and their own [ZAP Deep Dive](https://www.youtube.com/playlist?list=PLEBitBW-HlstiimJoOyOxunpt79q0l4Ku) playlist.
 
diff --git a/site/data/homepage/hero.yml b/site/data/homepage/hero.yml
@@ -1,5 +1,5 @@
 heroItems:
-  - headline: OWASP® Zed Attack Proxy (ZAP)
+  - headline: Zed Attack Proxy (ZAP)
     subhead: 
       The world’s most widely used web app scanner. Free and open source. 
       Actively maintained by a dedicated international team of volunteers.

diff --git a/site/data/supporters.yaml b/site/data/supporters.yaml
@@ -1,13 +1,17 @@
 ---
 
 platinum:
+  - name: 'The Software Security Project'
+    link: https://softwaresecurityproject.org/
+    logo: /img/supporters/ssp.png
+    notes: Sponsor Simon and Ricardo's work on ZAP
+
+gold:
   - name: 'Jit'
     link: https://www.jit.io/zap?utm_source=zapproxy&utm_medium=banner&utm_campaign=zap-proxy-website-banner
     logo: /img/supporters/jit.png
-    license: 'Commercial'
-    notes: Sponsoring Simon's work on ZAP
+    notes: Sponsored Simon's work on ZAP for 1 year
 
-gold:
   - name: 'Mozilla'
     link: https://www.mozilla.org/
     logo: /img/supporters/mozilla.png

diff --git a/site/data/thirdparty.yaml b/site/data/thirdparty.yaml
@@ -7,7 +7,7 @@ services_plus:
     link: https://www.jit.io/zap?utm_source=zapproxy&utm_medium=banner&utm_campaign=zap-proxy-website-banner
     logo: /img/supporters/jit.png
     license: 'Commercial'
-    supporter: ZAP Platinum Supporter
+    supporter: ZAP Gold Supporter
 
   - name: 'SOOS'
     link: https://soos.io/soos-dast-no-limit/

diff --git a/site/layouts/partials/footer.html b/site/layouts/partials/footer.html
@@ -32,9 +32,8 @@
 
     <div class="flex ai-c">
       <span class="OutroFooter">
-      ZAP is an <a href="https://owasp.org/www-project-zap/">OWASP Flagship project</a><br>
+      ZAP is part of <a href="https://softwaresecurityproject.org/">The Software Security Project</a><br>
       © Copyright {{ now.Year }} the ZAP Dev Team</br>
-      OWASP is a registered trademark of the OWASP Foundation, Inc.
       </span>
       <ul class="flex footer-social">
         <li>

diff --git a/site/static/img/supporters/ssp.png b/site/static/img/supporters/ssp.png