Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

All You Need is Zap


Published on

Link to recording:
Link to code:
DevSecOps, among other things, is also about running various security testing as part of the continues integration pipeline. Usually, people think that a good security testing tool is either expensive or complicated (and sometimes both), but it does not have to be that way. If you have an existing UI automation tests for your web app (and you probably have), you can, with a very small change, integrate it with Zaproxy. Zaproxy is a free and open source tool, developed by OWASP foundation, that (among other things) could be used to scan your web app's traffic for various security issues. In this slides, I am going to show how this is possible, and the tools I've used.

Published in: Technology
  • Be the first to comment

All You Need is Zap

  1. 1. All You Need Is Zaproxy Security Testing for WebApps Made Easy 12 July 2017 Twitter: @omerlh GitHub: @omerlh
  2. 2. The Problem
  3. 3. Shift Left Paradigm Build Test Deploy Shift Left Faster better feedback - allow to fail fast and safe
  4. 4. Challenges with Security Testing ● Which tests should I run? ○ Static - Code analysis (SAST) ○ Dynamic - Live analysis (DAST) ○ Integrated - Combination (IAST) ● Let’s focus on DAST ● I want a DAST solution that is: ○ Simple ○ Free ○ Valuable
  5. 5. Live Demo - WebApp DAST
  6. 6. Running the demo Get the code: git clone Run with one simple command: docker-compose up --build --stop-on-container-exit And watch the magic...
  7. 7. Demo Building Blocks
  8. 8. DAST for WebApp Web App ZAP Proxy UI Automation
  9. 9. Docker ● The foundation of the Solution ● Easily create ● Easily share
  10. 10. Every block is a container... Web App ZAP Proxy UI Automation But we have multiple containers...
  11. 11. Docker-Compose ● Manage multiple containers ● One command to rule them all ● Easily build complex deployment
  12. 12. OWASP Juice Shop ● Demo Zap value ● Intentionally insecure webapp ● Official docker image Web App
  13. 13. OWASP ZAP - Zed Attack Proxy ● Free & OSS security tool ● Two modes: ○ Active ○ Passive ● API/CLI ● Official docker image (stable, also dev and weekly exist) ZAP Proxy Web App
  14. 14. ● Walk Zap through our WebApp ● Any automation framework could be used ● automation framework ● Simple JavaScript API ● Custom docker with our code UI Automation Test Code ZAP Proxy Test Code Web App
  15. 15. Want to give it a try? Fork/Clone Modify Run in CI Relax
  16. 16. What now? ● Future plans: ○ Alerts processing - Glue integration ○ Dedicated security tests ○ Integrate active mode ○ Mobile? ● Other ideas: ○ Zaproxy and Sawgger/OpenApi ○ Use Zaproxy in black box test
  17. 17. Conclusion ● We wanted to build a DAST solution that is: ○ Simple ○ Free ○ Valuable ● I hope you now know how... Web App ZAP Proxy UI Automation
  18. 18. One last word about OSS
  19. 19. Questions? Twitter: @omerlh GitHub: @omerlh