[Owasp-leaders] Introducing community code to automate ZAP as part of a continuous delivery pipeline

Sherif Mansour sherif.mansour at owasp.org
Sun Oct 9 09:11:00 UTC 2016


Hey Everyone,

I woke up this morning to find that since I posted the work online
yesterday, the slide deck
<http://www.slideshare.net/SherifMansour2/scripts-that-automate-owasp-zap-as-part-of-a-continuous-delivery-pipeline-66901802>
has had 400+ views and this topic has the top spot in the netsec subreddit
<https://www.reddit.com/r/netsec/>and is number 6 in that subreddit overall
<https://www.reddit.com/r/netsec/top/>

All this means I hope. is there is an increase interest in OWASP, the OWASP
ZAP project, and security tests in a continuous delivery pipeline :-)

Kind regards
Sherif Mansour

On Sun, Oct 9, 2016 at 12:54 AM, Sherif Mansour <sherif.mansour at owasp.org>
wrote:

> Thanks, I have uploaded a slide deck on it as well here:
> http://www.slideshare.net/SherifMansour2/scripts-
> that-automate-owasp-zap-as-part-of-a-continuous-delivery-pipeline-66901802
> What be good is to do a sample jenkins plan as well, but that is a story
> for another day :-)
>
> -Sherif
>
>
> On Sun, Oct 9, 2016 at 12:43 AM, Kim Carter <kim.carter at owasp.org> wrote:
>
>> Nice!
>>
>> Looking at the steps in the README.md, step 4 could be done
>> programatically with the API, here is an example:
>> https://github.com/binarymist/NodeGoat/blob/master/test/secu
>> rity/profile-test.js#L20-L25
>> Complete solution details here along with the teaser video:
>> https://github.com/binarymist/NodeGoat/wiki/Security-Regress
>> ion-Testing-with-Zap-API
>>
>> Being demoed next at NodeConfEU: http://www.nearform.com/nodecr
>> unch/nodeconf-eu-announcing-kim-carter/
>>
>> Future demo: https://www.meetup.com/AucklandNodeJs/events/231037137/
>>
>> Past demoed:
>>
>>    - NYC: https://www.meetup.com/owaspnycmetro/events/228716474/
>>    - NZ: https://www.meetup.com/OWASP-New-Zealand-Chapter-Christchurc
>>    h/events/229985413/
>>    - NZ: https://www.meetup.com/CHCH-JS/events/228078957/
>>
>>
>>
>> Kim Carter
>>
>> OWASP New Zealand Chapter Leader (Christchurch)
>>
>> Author of *Holistic Info-Sec for Web Developers*
>> <https://leanpub.com/b/holisticinfosecforwebdevelopers>
>>
>> c: +64 274 622 607
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 08/10/16 23:31, Sherif Mansour wrote:
>>
>> Hey Everyone,
>>
>> Over the summer I asked our intern to contribute to the OWASP ZAP Project.
>> We agreed to focus on automation so that developers can run zap as part
>> of their build tests.
>>
>> The code and instructions can be found here:
>>  https://github.com/zaproxy/community-scripts/tree/master/ap
>> i/sdlc-integration
>>
>> FYI I strongly encourage my peers to leverage interns to contribute to
>> OWASP projects of their interest.
>> This will help you assess your intern, but also give them something fun,
>> open source, and knowing it will help the wider community will motivate
>> them as well.
>>
>> I have added snapshots below to explain the approach we took, hope it
>> helps.
>>
>> *1) Here is a workflow diagram of what we were trying to achieve*
>> [image: Inline image 1]
>>
>> *2) Once Setup you can run ZAP headless in a CI/CD Pipeline with a
>> command like this:*
>>
>> [image: Inline image 2]
>> *3) You could also set restrictions on which vulnerabilities to
>> fail/ignore/pass a build*
>> [image: Inline image 5]
>> *4) And you can add additional settings like the pushing results into
>> Jira (bugtracker), the max duration a scan/spider should tak, and login
>> credentials of the scanned webapps.*
>> [image: Inline image 6]
>> *5) Here is what a report looks like in Jira (note if the webapp passes
>> the test, the jira ticket will be created and automatically be closed as
>> well).*
>>
>> [image: Inline image 3]
>>
>> Kind regards
>> Sherif Mansour
>>
>>
>> _______________________________________________
>> OWASP-Leaders mailing listOWASP-Leaders at lists.owasp.orghttps://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/4e0447e2/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: owasp_member_emailsignature.gif
Type: image/gif
Size: 5563 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/4e0447e2/attachment-0001.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 255747 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/4e0447e2/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 94347 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/4e0447e2/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 89102 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/4e0447e2/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 81805 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/4e0447e2/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: image/png
Size: 107975 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161009/4e0447e2/attachment-0009.png>


More information about the OWASP-Leaders mailing list