[Owasp-leaders] Introducing community code to automate ZAP as part of a continuous delivery pipeline

psiinon psiinon at gmail.com
Mon Oct 10 08:04:16 UTC 2016


Many thanks to Sherif, Dalimil and everyone else who was involved in this
at Expedia!

This has been a really effective engagement, and I'd love to see more
companies contributing to OWASP projects like this.

Any suggestions as to how we could make this happen? Are there any barriers
to getting more involved with OWASP projects at the company you work for?

Many thanks,

Simon

On Sat, Oct 8, 2016 at 11:31 AM, Sherif Mansour <sherif.mansour at owasp.org>
wrote:

> Hey Everyone,
>
> Over the summer I asked our intern to contribute to the OWASP ZAP Project.
> We agreed to focus on automation so that developers can run zap as part of
> their build tests.
>
> The code and instructions can be found here:
>  https://github.com/zaproxy/community-scripts/tree/master/
> api/sdlc-integration
>
> FYI I strongly encourage my peers to leverage interns to contribute to
> OWASP projects of their interest.
> This will help you assess your intern, but also give them something fun,
> open source, and knowing it will help the wider community will motivate
> them as well.
>
> I have added snapshots below to explain the approach we took, hope it
> helps.
>
> *1) Here is a workflow diagram of what we were trying to achieve*
> [image: Inline image 1]
>
> *2) Once Setup you can run ZAP headless in a CI/CD Pipeline with a command
> like this:*
>
> [image: Inline image 2]
> *3) You could also set restrictions on which vulnerabilities to
> fail/ignore/pass a build*
> [image: Inline image 5]
> *4) And you can add additional settings like the pushing results into Jira
> (bugtracker), the max duration a scan/spider should tak, and login
> credentials of the scanned webapps.*
> [image: Inline image 6]
> *5) Here is what a report looks like in Jira (note if the webapp passes
> the test, the jira ticket will be created and automatically be closed as
> well).*
>
> [image: Inline image 3]
>
> Kind regards
> Sherif Mansour
>
> _______________________________________________
> OWASP-Leaders mailing list
> OWASP-Leaders at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>
>


-- 
OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/a56c6b62/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 89102 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/a56c6b62/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 255747 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/a56c6b62/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 94347 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/a56c6b62/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 107975 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/a56c6b62/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 81805 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/a56c6b62/attachment-0009.png>


More information about the OWASP-Leaders mailing list