[Owasp-leaders] Introducing community code to automate ZAP as part of a continuous delivery pipeline

Sherif Mansour sherif.mansour at owasp.org
Sat Oct 8 23:54:43 UTC 2016


Thanks, I have uploaded a slide deck on it as well here:
http://www.slideshare.net/SherifMansour2/scripts-that-automate-owasp-zap-as-part-of-a-continuous-delivery-pipeline-66901802
What be good is to do a sample jenkins plan as well, but that is a story
for another day :-)

-Sherif


On Sun, Oct 9, 2016 at 12:43 AM, Kim Carter <kim.carter at owasp.org> wrote:

> Nice!
>
> Looking at the steps in the README.md, step 4 could be done
> programatically with the API, here is an example:
> https://github.com/binarymist/NodeGoat/blob/master/test/
> security/profile-test.js#L20-L25
> Complete solution details here along with the teaser video:
> https://github.com/binarymist/NodeGoat/wiki/Security-
> Regression-Testing-with-Zap-API
>
> Being demoed next at NodeConfEU: http://www.nearform.com/
> nodecrunch/nodeconf-eu-announcing-kim-carter/
>
> Future demo: https://www.meetup.com/AucklandNodeJs/events/231037137/
>
> Past demoed:
>
>    - NYC: https://www.meetup.com/owaspnycmetro/events/228716474/
>    - NZ: https://www.meetup.com/OWASP-New-Zealand-Chapter-
>    Christchurch/events/229985413/
>    - NZ: https://www.meetup.com/CHCH-JS/events/228078957/
>
>
>
> Kim Carter
>
> OWASP New Zealand Chapter Leader (Christchurch)
>
> Author of *Holistic Info-Sec for Web Developers*
> <https://leanpub.com/b/holisticinfosecforwebdevelopers>
>
> c: +64 274 622 607
>
>
>
>
>
>
>
>
>
> On 08/10/16 23:31, Sherif Mansour wrote:
>
> Hey Everyone,
>
> Over the summer I asked our intern to contribute to the OWASP ZAP Project.
> We agreed to focus on automation so that developers can run zap as part of
> their build tests.
>
> The code and instructions can be found here:
>  https://github.com/zaproxy/community-scripts/tree/master/
> api/sdlc-integration
>
> FYI I strongly encourage my peers to leverage interns to contribute to
> OWASP projects of their interest.
> This will help you assess your intern, but also give them something fun,
> open source, and knowing it will help the wider community will motivate
> them as well.
>
> I have added snapshots below to explain the approach we took, hope it
> helps.
>
> *1) Here is a workflow diagram of what we were trying to achieve*
> [image: Inline image 1]
>
> *2) Once Setup you can run ZAP headless in a CI/CD Pipeline with a command
> like this:*
>
> [image: Inline image 2]
> *3) You could also set restrictions on which vulnerabilities to
> fail/ignore/pass a build*
> [image: Inline image 5]
> *4) And you can add additional settings like the pushing results into Jira
> (bugtracker), the max duration a scan/spider should tak, and login
> credentials of the scanned webapps.*
> [image: Inline image 6]
> *5) Here is what a report looks like in Jira (note if the webapp passes
> the test, the jira ticket will be created and automatically be closed as
> well).*
>
> [image: Inline image 3]
>
> Kind regards
> Sherif Mansour
>
>
> _______________________________________________
> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/37c2a026/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 81805 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/37c2a026/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owasp_member_emailsignature.gif
Type: image/gif
Size: 5563 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/37c2a026/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 94347 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/37c2a026/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 255747 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/37c2a026/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 89102 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/37c2a026/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 107975 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/37c2a026/attachment-0009.png>


More information about the OWASP-Leaders mailing list