Monday, April 30, 2018

Implementing and Securing an API with ASP.NET Core

Implementing and Securing an API with ASP.NET Core

The verification for the web API is impartial using the token, sent with the existing request. This is basically done with the fixed Identity Middleware. That means, if the ASP.NET gets an entreaty to an Organiser or an Action with an Approve Attribute, it authorize the request for received Tokens. If the Token is usable, the operator is authenticated. If the operator is also in the correct role, one gets authorized.
How to implement?
Step 1: Set your project name with API and then click OK.
Step 2: Select the Web API in templates, and set “No Authentication”, and now uncheck “Host in the cloud” alternatives and then press OK.
Step 3: Now add up the API related objects.
Step 4: Now save changes and reconstruct your project, if the whole thing is OK, the build wouldn’t have any compiling error.
For originality implementations, you need to implement a very big code files. In this situation, you can work on the Production scheme that means all objects related to the Production namespace will be compulsory; evade having very big code file in C# as they can split into altered code files with an incomplete keyword on class’ description.
One of the key changes in the ASP.NET Core is its dependency injection, the present day is “native” and there is no need to install the additional packages. At this point, just try to configure all the services in Start-up class, in Configure Services technique; you just need to setup the needs that will be vaccinated for controllers, also the contract’s name resolver and input settings.
Securing an API
Since the Web API implementation is increasing at a fast pace, there is a severe need for implementing the security for all types of customers trying to access the data from the Web API service area. One of the most favored mechanisms is to confirm customer over HTTP using an employed token. Just put, a token is a piece of data which is shaped by the server, and which comprises of enough data to identify a specific user.
The procedure starts by permitting the users to enter their username as well as password while retrieving a service. Once the operator provides the username and password, a token is supplied which permits users to fetch a precise resource even without using their username and their password every time. For securing an API purpose, this process is done so that no other person can access the data of users.
http://www.anarsolutions.com/implementing-securing-api-asp-net-core/?utm_source=Blogger.com

Friday, April 27, 2018

Legacy system – How to make sure that they are secure?

Legacy system – How to make sure that they are secure?

Every organisation has to follow certain steps within protocols to follow for vulnerability assessment for a legacy system. It is important to evaluate all eminent risks. Today, we take a look at what are the vulnerabilities and  how to secure them.
Hacking in the real world is an imminent threat. With pentabytes of information stored in servers apart from ten times more shared in cloud computer servers, a single hack could mean a loss of billions in dollars for IT firms. There are lines of defense in place that resist the hack of personally confidential information. Right from the basic complicated passwords to other security practices like firewalls, the security of the system is maintained. However, this safeguarding is rather limited. Once official support and regular updates are withdrawn, the safeguarding is harder. Exploiting information is easier on such computer systems. Similar to how legacy systems are hacked.
“A part of our legacy” Inspired from that context, legacy systems are databases, the applications and systems that utilize older, obsolete technology to run their technology. Here are some ways to secure your legacy systems:
• Data formats and encryption
Migrating data formats can deliver positive results. You are able to navigate and transfer your data files with ease. However, this applies in the case of an attack as well. It is important to store open data formats such as the xml type in a secure location with encryption to be secure.
• Server Consortium
Moving to a single, cheap, and more powerful server will be a boost to the security as an isolation of the services allows for easier monitoring and maintenance.
• Better Infrastructure in place
Changes in supporting architecture can always expose your security to a cyber attack. Ensure that all your legacy system architecture has a daily backup of all application data and a better backup-oriented infrastructure.
Safety Assessment of all Legacy Systems
There are steps within protocols to follow for vulnerability assessment for a legacy system. It is important to evaluate all eminent risks, review risks and remediate them, and analyze the point of failure.
• Regardless of being public or private, evaluate all risks by using proven methodologies mentioned in the Security Technical Implementation Guide (STIG).
• Being a busy medium, set access privileges to the least required. Perhaps the data at rest, and the data in transit, can be encrypted. Alternatively, consider Oracle’s data redaction product, specifically useful in the case where your site copies production data to a non-production environment for testing.
• Perform detailed detection and minimization of threats in every component of every legacy systems. Each component is checked and authorized.
http://www.anarsolutions.com/legacy-system-secure/?utm_source=Blogger.com 

Building a Global App with Azure PaaS

Azure is based on cloud computing that manages the application of the web, mobile API, and logical features. It works as Platform-as-a-Service (PaaS) which makes the person stay focus on business logic and all the applications are taken care by Microsoft Azure.
Choice of language:
The app service used in a web application is not limited to few languages. The applications can be easily shared or make used in dedicated virtual machines. All the application codes are managed by VM which is fully customer isolated. The coding of the application can be done is the languages that are supported by the Azure App service. These languages are consisting of all major languages that are being used nowadays like Python, PHP, JAVA, ASP.NET and few others.
Mobility of using the Apps:
All the apps at one place give the user a mobility to use and check without rushing for other devices. The application of Azure gives the mobility to be used on mobile for on running apps. This gives the user to stay in touch with every communication with employees, clients, and customers. One app is more than enough to keeps all another useful app to stay in touch.
Deploying the Apps:
There are three easy ways in which the apps can be deployed
  • Auto deploys: The FTP or FTPS files are moved automatically via FileZilla or NetBeans. The option of Web Deploy is also present which directly deploys all the Microsoft tools in the IIS servers. In most cases, all the apps are saved and then a person can remove the apps that they do not like.
  • Manual Deploy: In this type of Deploying the user chooses the application that they want to deploy with their respective FTP utilities. The major benefit of manual deploy is that the user knows where the files are going and can increase security.
  • Cloud Deploy: This is a very interesting deploy method. Just sync the files or folders to cloud service of Microsoft storage like OneDrive or Dropbox. Since it is synchronized the deployment is performed in one click. All the functions of restoring and automation are available.
Enhance the range of application to become Global:
Once the Business application gets connected with Microsoft Azure then they can be checked from anywhere. It is beneficial for old organizations as well as new ones two. All open source web platforms like Umbraco, Joomla, WordPress, and Drupal are supported by Azure.
http://www.anarsolutions.com/building-global-app-azure-paas/?utm_source=Blogger.com

Thursday, April 26, 2018

Building Bots with Microsoft’s Bot Framework

Building Bots with Microsoft’s Bot Framework

The Microsoft Bot Framework is a comprehensive offering that you use to build and deploy high quality bots for your users to enjoy wherever they are talking. The framework consists of the Bot Builder SDK, Bot Connector, Developer Portal, and Bot Directory. There’s also an emulator that you can use to test your bot.
Bots started in the mid of 2015 to make conversation to become more interactive with customers and clients. By the end of March 2016 bots become publicly available and were ready to use.
Building Bots
To built own person bots the provided frameworks are .NET SDK and Node.js SDK. The SDK Bot Builder is an open source available at GitHub. SDK consists of inbuilt prompts and dialog features that make interaction simpler with user,
  • .Net SDK Framework
Before using this step make sure that Bot connectors are installed and the setup page is there. Use the framework in the following way:
  • First, select the “Manage NuGet Packages” by Right Clicking on the page of your project.
  • Type on the Brower “Microsoft.Bot.Builder”
  • A page will appear having “Install” button, just click it and follow the instructions.
After the installation is completed the Bot Builder is ready to be used.
  • Node.js SDK
Node.js SDK is a powerful framework that helps in Bot construction. It provides the freedom to get more guides and freeform interactions.
  • Bot Building
Create a new folder for using a bot, go to cd and run npm init. Use the Bot Builder and make modules to Restify by npm. Make a new File app.js and start using the Bot.
  • Bot Testing
To test the Bot first install Bot Framework Emulator. From the emulator, the testing is performed on the local host.
  • Publishing the bot
Once the Bot passes the emulator test then deploy the Bot on to the cloud and register it from the Microsoft Bot Framework.
Giving the Bot Human Senses
Making the bot more like human Microsoft has LUIS which understands natural language easily. For voice activation and voice feature takes the help of Cortana. For the searching purpose the powerful search engine optimization there is Bing available.
Registration of Bot
Once the Bot is completed then it has to be registered. Just connect the Bot to channels and publish it. In the registration just use the bot applications ID and Password which is used for authentication. Each bot has to be registered with the ID and Password and all the bots are available in the portal at “My Bots”
Configuring the channels
This is the last stage where the bots are needed to be configured with the user’s channels. Some bots are already configured like Skype, chats and few others. There are also direct lines through which other bots can be configured.
http://www.anarsolutions.com/building-bots-microsofts-bot-framework/?utm_source=Blogger.com

Wednesday, April 25, 2018

What is Microservice Architecture?

What is Microservice Architecture?

Microservice architecture or Microservices is used for present software development. This is used for creating applications for cross range of platforms, devices like mobiles and wearable.
Difference between Monolithic Architecture and Microservices:

The difference between monolithic architecture and microservices architecture can be understood by comparing the two. Monolithic is single autonomous unit or client-server model. In monolithic server-side application, HTTP request is executed to retrieve/update data in underlying database. While using monolithic architecture, any change requires build and deployment as fresh version. The advantage of microservices is a specific component can be changed and deployed without disturbing the software.
SOA and MSA
A few years ago, Service-Oriented Architecture (SOA) was commonly used. However, microservice architecture (MSA) though similar is better. SOA depends on ESBs. It gives importance to programming and uses a huge relational database. Whereas, microservices use faster messaging mechanisms, approachable programming styles, use conventional NoSQL or micro-SQL databases.
Benefits of Microservices:
Any software built using microservices can be divided to multiple components services that are deployed. None of them require to be integrated.  Software engineer very conveniently can tweak and redeploy. Basis of microservices is business capabilities and priorities. Microservices uses cross-functional teams. The individual teams make the product that communicates through message bus. The cross teams write and build codes for the product they own. There is no outside client. Both Microservices and UNIX system are same. They receive requests, process them, and generate response accordingly.  Microservices have smart endpoints that process info and apply logic.
Special Features:
Microservices work across technologies and platforms. It resembles the decentralised governance. The developers produce useful tools that can be used by others to solve same problems. Netflix services have about 30{837330d4a8ef7eefea6ad76a2e6c839eeae477cba1366427bd0e21e978eaa9aa} of traffic on the web. The company encourages developers to use good code libraries. Similar to decentralized governance, microservice architecture favours decentralized data management.
Netflix services encourage developers to use good code libraries. This is like the decentralized governance of microservice architecture that favours decentralized data management. Also, Microservices can deal with failure. Many unique and diverse services communicate with each other. There could be failures. Unfortunately, this feature is complex in microservices.
Companies using Microservices
Microservices have undergone digital changes for better dynamic software. Users realise the importance of scalability, adaptability, modularity, and quick accessibility and cloud-based applications.  These reasons have caused many Companies to shift to microservices. Some of the well known Companies are eBay, Amazon, realestate.com.au, Twitter and PayPal and more.
Microservices would be the preferred style of developing in IT future.
http://www.anarsolutions.com/microservice-architecture/?utm_source=Blogger.com

Tuesday, April 24, 2018

Mobile App Testing for Functionality and Usability

Mobile App Testing for Functionality and Usability

Mobile App Testing for Functionality and Usability includes various types of test.
A typical user’s experience involves using the application and surveying through the many features. Whilst surveying, the user 
does not particularly incline on the set of features but also on the application interface, the way it responds and performs. Even a feature packed application will be deemed unsuccessful and disappoint its users if it were to crash very often. The ultimate goal of the application would not be achieved and it would be harder to utilize the application for its intended goal. This is where testing comes in. Users test your application for you and provide necessary feedback that can be incorporated into the final version. For example, if the application crashes every time the user taps on a component thrice, or if the application is slower on certain devices, compatibility issues related to RAM availability all of these rectify only through testing. There are four categories of tests to perform to assess a Mobile application’s functionality and usability.
• Functional Tests: Confirm whether the application is functional across a range of internal functions
• Compatibility Tests: Confirms application functionality across operating systems and mobile devices
• Performance Tests: Loading and response times, smooth transition between options, and login difficulties are checked for in these tests
• Usability tests: The frequency of the application crashing is measured and rectifications made to enhance the application usability.
Parameters such as the quality of the application, user-friendliness, reliability, compatibility, fall under functionality and usability.
Functional Testing:
The functionality, the core behavior of an application is tested. These tests ensure that the application works as deemed to as per its requirements. Two key aspects of any application are the user interface and call-to-action of the application. For Mobile App Testing, the user interface requires certain discretion as it is more complicated. Multiple operating systems, several device versions, each having their own software versions installed within, all of which makes for a testing system that has to be automated. The application also has to interact with other mobile applications and has to function in the flow. For these reasons, mobile application functional testing is detailed and requires several tools that are all in high demand for their services. Often Mobile App Testing is used automated tools and manually designed tests.
Usability testing:
For a user, an application serves as a utility. The ease of utility is a measure and a parameter considered in usability testing of mobile applications. The application’s user-friendliness, flexibility, and ease of access are determined. Most mobile applications score well on the usability tests.
http://www.anarsolutions.com/mobile-app-testing/?utm_source=Blogger.com

Monday, April 23, 2018

SharePoint and Lego!

SharePoint and Lego!

SharePoint is often compared with Lego. The SharePoint site is the LEGO building board and functionalities are Lego blocks within SharePoint.  Basic similarity is that SharePoint is like a huge box of Lego from the local toy store. Lego blocks, come in all colors, shapes and sizes –  we can build many different structures from it, we can build trains, ships, houses, etc. on the basis of our imagination. When you get those huge sets, there’s no picture of what it’s going to build, as that’s totally up to you. If you’re careful, creative, and plan well, you can build a castle, an airplane, or even a city.
Likewise, SharePoint is a platform of Blocks. The SP site has all the features and is designed to the needs and desires of the organization. It is a single space for content management of data for different companies. Microsoft SP is a single ‘sharing-point’ for sharing data among various users.
Like Legos, in SharePoint most valuable characteristic is in its ability to make IT architecture in businesses more interoperable. Each block has standard bumps and connectors allowing it to connect to other blocks. In SP,  standards-based interfaces are the small bumps that make compatibility possible and connect software to each other.
Companies can design, create sites and give permissions to people depending on business requirements. It is a product by which we can build niche things like Content Management System (CMS), Document Management System (DMS), Intranet, Extranet Portals and much more based on our requirements.
If it then turns out that there should be at functionality, then there can be again a ‘block’ may be added. In addition to all the capabilities of SharePoint itself, the platform can also be linked with other applications so the possibilities are extended even further.
Announcing the general availability of SP 2016 and the focus of SharePoint’s road map over the next 12 to 18 months, Jeff Teper identified the four areas from which we will be able to draw our Lego bricks:
  • Simple and powerful file sharing and collaboration on any device.
  • The mobile and intelligent intranet, with modern team sites, publishing and business applications on your desktop and in your pocket.
  • An open and connected platform that evolves SharePoint extensibility to embrace modern Web development.
  • Investments in security, privacy and compliance across Office 365.
  • http://www.anarsolutions.com/sharepoint-and-lego-2/utm_source=Blogger.com

Friday, April 20, 2018

Writing Modular CSS

Writing Modular CSS

Modular CSS is a concept that will help you write more maintainable and readable code. It is compatible with any and all CSS pre-processors and naming conventions.
Modular CSS means you avoid ever writing special snowflake CSS that’s only used in one spot. It helps you standardize your code and look for patterns. It helps you dry up your code and ensure that each class has a clearly defined responsibility, and help you avoid overlap and conflicts between classes.
Essentially, if you’re ever going to write CSS at scale, you owe it to yourself to understand what modular CSS is, and how it can dramatically improve the readability and maintainability of your code.
Code reusability is one of the many features of writing Modular CSS. By combining code from other blocks, the same modular code can be reused. The various combinations possible ensure that the code attains a requisite level of flexibility and scalability. Code blocks, used both separately as well as in combination, can allow you to iterate them independently enhancing the performance of your web pages.
Four different ways to write Modular CSS
The four methods to write Modular CSS, popularized by programmers, allows the user to explore their own perspective and approach to complete their goals.
• Scalable and Modular Architecture for CSS (SMACSS),
• Object Oriented CSS (OOCSS),
• Don’t Repeat Yourself CSS (DRY CSS),
• Block, Element, Modifier (BEM)
Scalable and Modular Architecture for CSS (SMACSS)
When using Modular CSS, adopting a modular architecture that is scalable is important. This module provides the necessary consistency to the design process and its scalability. The module aims at enhancing the logic of a block of code within the HTML script from the content. By recording the previously observed patterns, the SMACSS module defines better practices for writing CSS. The five rules it uses for categorizing are:
• Base
• Layout
• Module
• State
• Theme.
While it’s easier complying to the Base rules as they stick well with the existing CSS requirements, they do not apply for classes. On the other hand, layout rules apply for the major components of a website including the footer, header, footer, main- content or sidebar. Classes are also available. Modules reside with major components of the website.
Object Oriented CSS (OOCSS)
Not the typical object orientation but it has the same core concept of programming languages. The objects have visual design patterns that can integrate as blocks of script into HTML, CSS and even JavaScript. This makes it easier to reuse the blocks and maintain the efficiency of your code across platforms.
Don’t Repeat Yourself CSS (DRY CSS)
This method explores a different perspective to writing Modular CSS. It involves reorganization of already existing selectors in use. Essentially, you ensure that your code does not have repetitive statements and is clearer than before. The style of writing is kept separate and utility, stability, and reusability are primary requirements.
Block, Element, Modifier (BEM)
Similar to an object oriented programming style, there are patterns and accordingly program entities are rearranged to benefit the code’s reusability. With no regard for the programming language used to write the CSS, this modular CSS method of writing involves using blocks. Efficiency of the script is enhanced with such an approach.
http://www.anarsolutions.com/writing-modular-css/UTM_source=Blogger.com

Thursday, April 19, 2018

Estimation Tips for Building Self Managing Teams

Estimation Tips for Building Self Managing Teams
Offshore Team has committed the deliverable for Friday morning and it is Monday still team is struggling to deliver. They have been working late nights, on weekends and still deliverable is not yet ready.
Does this sound familiar?
Here are some tips for building Self Managing teams, improving their time commitments. We conduct following activity for every technical task assigned to the team.
  • List Sub-task

    Team member comes up with detailed list of sub-tasks for each task.
  • Estimate

    With this list of small sub-tasks available, team member associates time estimate with each sub task. Each sub-task should be small enough to be completed in 1 to 2 hours. If there is a sub-task which is going to take 4+ hours to complete then one more level of task breakdown is required.
  • Review

    Review is integral part of the estimation process. Either it can be a peer review or by lead in the project team. When team member explains the tasks, sub-tasks and estimates to another person, most of the times she herself can identify loopholes in her plan.
  • Share it with Product Owner or Client

    Share these sub-tasks and estimates with Client. Product Owner/Client’s review can be helpful to surface any misunderstanding by team before start of actual implementation.
This activity is in line with agile practices and it is in addition to other project planning practices in the life cycle. When you want to build Agile, Self-Managing teams, such activities can come handy.
When Clients are working with Offshore teams, it is like building their extended teams by sitting miles away from them. Many of offshore teams and Onsite teams are using various practices for meeting delivery timelines.
I hope this helps you and would love to hear, how you have addressed it.
http://www.anarsolutions.com/estimation-tips-building-self-managing-teams-2/utm-source=Blogger.com

Wednesday, April 18, 2018

Code Review vs Code Walkthrough

Code Review vs Code Walkthrough

Code walkthrough is informal process where code is executed at any time. Author of code leads the code walkthrough code review is formal process where review is done line by line in the formal meeting of developers and QA engineers.
Code review : A meeting at which software code is presented to project personnel, managers, users, customers, or other interested parties for comment or approval.It is systematic examination (sometimes referred to as peer review) of computer source code. It is intended to find mistakes overlooked in the initial development phase, improving the overall quality of software. Reviews are done in various forms such as pair programming, informal walkthroughs, and formal inspections.
Reviewers read the code line by line to check for:
  • Flaws or potential flaws
  • Consistency with the overall program design
  • The quality of comments
  • Adherence to coding standards
Code review may be especially productive for identifying security vulnerabilities. Specialized application programs are available that can help with this process. Automated code reviewing facilitates systematic testing of source code for potential trouble such as buffer overflows, race conditions, memory leakage, size violations, and duplicate statements. Code review is also commonly done to test the quality of patches.
Inspection
An inspection is, most generally, an organized examination or formal evaluation exercise. It involves the measurements, tests, and gauges applied to certain characteristics in regard to an object or activity. The results are usually compared to specified requirements and standards for determining whether the item or activity is in line with these targets. Inspections are usually non-destructive.
Code Walkthrough – walk-through is a form of software peer review “in which a designer or programmer leads members of the development team and other interested parties through a software product, and the participants ask questions and make comments about possible errors, violation of development standards, and other problems
A walkthrough is a term describing the consideration of a process at an abstract level.
The term is often employed in the software industry (see software walkthrough) to describe the process of inspecting algorithms and source code by following paths through the algorithms or code as determined by input conditions and choices made along the way. The purpose of such code walkthroughs is generally to provide assurance of the fitness for purpose of the algorithm or code; and occasionally to assess the competence or output of an individual or team.
The term is employed in the theatrical and entertainment industry to describe a rehearsal where the major issues of choreography and interaction are practiced and resolved, prior to more formal “dress rehearsals”.
The term is often used in the world of learning where a tutor/trainer will walk through the process for the first time. It is regarded as a literal walk through of the learning at the groups pace ensuring that everyone takes in the new knowledge and skills.
Something akin to walkthroughs are used in very many forms of human endeavour since the process is a thought experiment that seeks to determine the likely outcome(s) of an affair based on starting conditions and the effects of decisions taken.

Tuesday, April 17, 2018

Pentesting security testing using OWASP ZAP

Pentesting security testing using OWASP ZAP

The demand for security tests within companies is increasing. These tests can be executed in different ways, each with its own pros and cons. In this article, we will look into pentesting security tests using OWASP ZAP.
Security Testing is roughly classified according to the type of vulnerability has been tested or type of testing has to be done for it. Commonly it can be done as :
  • Vulnerability Assessment
  • Penetration Testing
  • Runtime Testing
  • Code Review
Note that Risk Assessment is not listed in the security testing because it is not actually a test but it’s an analysis of the perceived severity of different risks (Software or Hardware security).
The Pentesting Process:
Software Penetration Testing (i.e. Pentesting) is carried out as if the tester was a malicious external attacker with having a goal of breaking into the system and either stealing data or carrying out some sort of denial-of-service attacks.
Often manual and automated pentesting are used to test every aspect in servers to networks, to devices, to endpoints.
Pentesting generally follows following stages:
  • Explore-In this the tester tries to learn about the system which is being tested. This includes determining the endpoints of the system, what patches are installed in the system. Often also includes exploring the site for hidden contents and possible known vulnerabilities.
  • Attack-In this the tester attempts to actually exploit the known vulnerabilities to prove that they are actually exists in the system.
  • Report– In this stage, the tester makes report of the results of his testing which includes the vulnerabilities found along with how they are exploited. Also it includes how difficult it is to exploit those vulnerabilities and the severity of that exploitation.
Introduction to ZAP
Zed Attack Proxy (ZAP) is a free, open source pentesting tool developed under the Open Web Application Security Project (abbreviated as OWASP) organization.
ZAP tool is mainly designed for testing the web applications which is both flexible and extensible.
ZAP stands as ‘intercepting proxy’ between the tester’s browser and the web application. ZAP stands between the tester’s browser and the application in that it modifies the contents if needed and then forwards those packets back to the destination.
Effectively, ZAP is used as a ‘Man in the middle attack’ but also as a stand-alone application.
Browser->ZAP->Web Application
Browser->ZAP->Network Proxy->Web Application.
ZAP UI:
The ZAP UI consists->
  • Menu Bar-Provides access to many tools.
  • Toolbar-Includes buttons which provides most commonly used features.
  • Tree Window-Displays the sites tree and scripts tree.
  • Workspace Window- Displays requests, responses and scripts and allows you to edit them.
  • Information Window-Displays details of the automated and manual tools.
  • Footer-Displays a summary of the alerts found and the status of the main automated tools.
Configure your browser to proxy through ZAP:
By default, ZAP uses localhost address & 8080 as port. If you want to change and set another proxy, then you can set it under the local proxy settings under ZAP.
Import and Trust the ZAP Root CA Certificate:
  1. Start ZAP and click Tools -> Options.
  2. On the left pane of the Options window, click Dynamic SSL Certificates.
  3. On the right pane, click Save.
  4. Select a location to save the certificate to and click Save. Be sure to retain the .cer file extension.
To install the certificate:
  1. Navigate to the certificate file.
  2. Right-click on the certificate file and then click Install Certificate.
  3. In the Certificate Import Wizard, select either Current User or Local Machine as the scope of the certificate, then click Next.
  4. Select Place all certificates in the following store.
  5. Click Browse and select Trusted Root Certificate Authorities or Trusted Root Certificates (depending on your version of Windows) as the certificate store, then click Next
  6. Click Finish
  7. Review the security warning about trusted root certificates and click Yes if the warning is accepted.
Start Pentesting on ZAP:
  1. Start ZAP and click the Quick Start tab of the Workspace Window.
  2. In the URL to attack text box, enter the full URL of the web application you want to attack.
  3. Click the Attack button.
Viewing Alerts from the application:
In the Alerts tab you can see the alerts for the application along with their respective risks.
Run an Active Scan with ZAP:
Active scan makes the active attacks on the web application by exploiting all it’s content. Active scanning, however, attempts to find other vulnerabilities by using known attacks against the selected targets. Active scanning is a real attack on those targets and can put the targets at risk, so do not use active scanning against targets you do not have permission or right to test.
To start an active scan:
  1. In the Tree View, in the Sites tab, select the sites you want to perform an active scan on.
  2. Right-click the selected sites and select Active Scan
OR
  1. In the Information Window, select the Active Scan tab.
  2. Click New Scan.
To review and modify your settings, then begin an active scan:
  1. In the Menu Bar, click Tools -> Active Scan.
  2. Review the settings and make any changes you wish to.
  3. Click Start Scan to start the Active Scan with these settings.
Footnotes: ZAP is a pentesting tool which exploits the real-time web contents and data so it is must require that you should use ZAP tool for finding the possible vulnerabilities on the applications which you own or have rights to test otherwise it will be a legal offence.
http://www.anarsolutions.com/pentesting-security-testing-using-owasp-zap/utm_source=Blogger.com