[Owasp-leaders] Introducing community code to automate ZAP as part of a continuous delivery pipeline

Sherif Mansour sherif.mansour at owasp.org
Mon Oct 10 09:06:09 UTC 2016


+ Dalimil
:-)
On Monday, 10 October 2016, psiinon <psiinon at gmail.com> wrote:

> Many thanks to Sherif, Dalimil and everyone else who was involved in this
> at Expedia!
>
> This has been a really effective engagement, and I'd love to see more
> companies contributing to OWASP projects like this.
>
> Any suggestions as to how we could make this happen? Are there any
> barriers to getting more involved with OWASP projects at the company you
> work for?
>
> Many thanks,
>
> Simon
>
> On Sat, Oct 8, 2016 at 11:31 AM, Sherif Mansour <sherif.mansour at owasp.org
> <javascript:_e(%7B%7D,'cvml','sherif.mansour at owasp.org');>> wrote:
>
>> Hey Everyone,
>>
>> Over the summer I asked our intern to contribute to the OWASP ZAP Project.
>> We agreed to focus on automation so that developers can run zap as part
>> of their build tests.
>>
>> The code and instructions can be found here:
>>  https://github.com/zaproxy/community-scripts/tree/master/ap
>> i/sdlc-integration
>>
>> FYI I strongly encourage my peers to leverage interns to contribute to
>> OWASP projects of their interest.
>> This will help you assess your intern, but also give them something fun,
>> open source, and knowing it will help the wider community will motivate
>> them as well.
>>
>> I have added snapshots below to explain the approach we took, hope it
>> helps.
>>
>> *1) Here is a workflow diagram of what we were trying to achieve*
>> [image: Inline image 1]
>>
>> *2) Once Setup you can run ZAP headless in a CI/CD Pipeline with a
>> command like this:*
>>
>> [image: Inline image 2]
>> *3) You could also set restrictions on which vulnerabilities to
>> fail/ignore/pass a build*
>> [image: Inline image 5]
>> *4) And you can add additional settings like the pushing results into
>> Jira (bugtracker), the max duration a scan/spider should tak, and login
>> credentials of the scanned webapps.*
>> [image: Inline image 6]
>> *5) Here is what a report looks like in Jira (note if the webapp passes
>> the test, the jira ticket will be created and automatically be closed as
>> well).*
>>
>> [image: Inline image 3]
>>
>> Kind regards
>> Sherif Mansour
>>
>> _______________________________________________
>> OWASP-Leaders mailing list
>> OWASP-Leaders at lists.owasp.org
>> <javascript:_e(%7B%7D,'cvml','OWASP-Leaders at lists.owasp.org');>
>> https://lists.owasp.org/mailman/listinfo/owasp-leaders
>>
>>
>
>
> --
> OWASP ZAP <https://www.owasp.org/index.php/ZAP> Project leader
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/8e209048/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 89102 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/8e209048/attachment-0005.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 94347 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/8e209048/attachment-0006.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 107975 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/8e209048/attachment-0007.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 255747 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/8e209048/attachment-0008.png>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image.png
Type: image/png
Size: 81805 bytes
Desc: not available
URL: <http://lists.owasp.org/pipermail/owasp-leaders/attachments/20161010/8e209048/attachment-0009.png>


More information about the OWASP-Leaders mailing list