[Owasp-leaders] Introducing community code to automate ZAP as part of a continuous delivery pipeline

Kim Carter kim.carter at owasp.org
Sat Oct 8 23:43:11 UTC 2016


Nice!

Looking at the steps in the README.md, step 4 could be done
programatically with the API, here is an example:
https://github.com/binarymist/NodeGoat/blob/master/test/security/profile-test.js#L20-L25

Complete solution details here along with the teaser video:
https://github.com/binarymist/NodeGoat/wiki/Security-Regression-Testing-with-Zap-API

Being demoed next at NodeConfEU:
http://www.nearform.com/nodecrunch/nodeconf-eu-announcing-kim-carter/

Future demo: https://www.meetup.com/AucklandNodeJs/events/231037137/

Past demoed:

  * NYC: https://www.meetup.com/owaspnycmetro/events/228716474/
  * NZ:
    https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurch/events/229985413/
  * NZ: https://www.meetup.com/CHCH-JS/events/228078957/



Kim Carter

OWASP New Zealand Chapter Leader (Christchurch)

Author of *Holistic Info-Sec for Web Developers*
<https://leanpub.com/b/holisticinfosecforwebdevelopers>

c: +64 274 622 607










On 08/10/16 23:31, Sherif Mansour wrote:
> Hey Everyone,
>
> Over the summer I asked our intern to contribute to the OWASP ZAP Project.
> We agreed to focus on automation so that developers can run zap as
> part of their build tests.
>
> The code and instructions can be found here:
>  https://github.com/zaproxy/community-scripts/tree/master/api/sdlc-integration
>
> FYI I strongly encourage my peers to leverage interns to contribute to
> OWASP projects of their interest. 
> This will help you assess your intern, but also give them something
> fun, open source, and knowing it will help the wider community will
> motivate them as well.
>
> I have added snapshots below to explain the approach we took, hope it
> helps.
> *
> *
> *1) Here is a workflow diagram of what we were trying to achieve*
> Inline image 1
>
> *2) Once Setup you can run ZAP headless in a CI/CD Pipeline with a
> command like this:*
>
> Inline image 2
> *3) You could also set restrictions on which vulnerabilities to
> fail/ignore/pass a build*
> Inline image 5
> *4) And you can add additional settings like the pushing results into
> Jira (bugtracker), the max duration a scan/spider should tak, and
> login credentials of the scanned webapps.*
> Inline image 6
> *5) Here is what a report looks like in Jira (note if the webapp
> passes the test, the jira ticket will be created and automatically be
> closed as well).*
>
> Inline image 3
>
> Kind regards
> Sherif Mansour
>
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/32882fde/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owasp_member_emailsignature.gif
Type: image/gif
Size: 5563 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/32882fde/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 94347 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/32882fde/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 255747 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/32882fde/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 89102 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/32882fde/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 81805 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/32882fde/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 107975 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/32882fde/attachment-0009.png>


More information about the OWASP-Leaders mailing list