Lead Image © Galina Peshkova, 123RF.com

Lead Image © Galina Peshkova, 123RF.com

ZAP provides automated security tests in continuous integration pipelines

Always On

Article from ADMIN 41/2017
By
Despite the abundance of tools that test code and help improve the effectiveness of a continuous integration pipeline, automated security testing is much more difficult to get right than it might appear.

Commonly, a mixture of open source and expensive proprietary tools are shoehorned into a pipeline to perform tests on nightly as well as ad hoc builds. However, anyone who has used such tests soon realizes that the maturity of a smaller number of time-honored tests is sometimes much more valuable than the extra detail you get by shoehorning too many tests into the pipe then waiting three hours for a nightly build to complete. The maturity of your battle-hardened tests is key.

The tests you require might involve interrogating the quality of code from developers or checking code for licensing issues. A continuous testing strategy can be onerous to set up but brings unparalleled value to your end product, including improvements in uptime, performance, compliance, and security.

To make any of the tests you run within your pipeline useful, you should be able to integrate them with existing tools and fire them following simple event-based hooks or triggers.

Once licensing test errors are safely classed as non-fatal, for example, your code may proceed by passing a "yes" to the next phase. Later, if Ansible or Puppet reports that all changes were executed properly from your playbooks or manifests without generating unwelcome errors, you are ready for the next step. After your code has moved successfully through all the phases of testing, your changes can then be accepted into your production environment.

The popular security tool Zed Attack Proxy (ZAP) [1] is a useful addition to your continuous integration security testing strategy. According to the project website, ZAP can "help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications." My professional curiosity stems from a DevSecOps perspective and, with some tinkering, I have discovered that ZAP will help you avoid a great number of issues in your code.

Laser Beams

ZAP is brought to you by the not-for-profit organization called Open Web Application Security Project, or OWASP [2]. The ZAP security testing framework is regularly visible near the top of security tool review lists, thanks to its accessibility and its feature set.

What first piqued my interest in ZAP was its intuitive interface. Although dissimilar, it reminded me a little of WebGoat's tutorial-based approach [3]. ZAP is unquestionably a fantastic security learning tool, as well as an excellent automated testing tool. I've read before that it's ideal for beginners, but used by professionals. To my mind, that's a mantra many other software products should think of adopting.

Before you go any further, remember to try out anything and everything in a sandbox first before aiming it at any production systems. On that note, here's a genuinely serious point: ZAP is highly functional, so only use it on your own systems, or you might cause criminal damage.

It is safe to say that ZAP has been carefully considered, well devised, and expertly written. A handy Docker image comes with a GUI that you can run remotely over TightVNC [4], which I'll look at in a moment; however, first, I'll whet your appetite with some of ZAP's many features.

What's in the Box?

Worth mentioning is the superb quality of online documentation that ZAP offers, including videos and a teaser pamphlet titled "Zap" Your App's Vulnerabilities [5]. ZAP sits near the top of the stack in the Application Layer (OSI model Layer 7) [6]. Although many fantastic network security tools exist that will probe every nook and cranny of a network stack, ZAP specializes in the application vulnerabilities side, whether that's strictly Layer 7 or below.

Among ZAP's app-centric list of features is its ability to act as an intercepting proxy, which means you point your browser at it and click away merrily while ZAP tells you what's broken. You can then adjust code to remedy issues on the fly.

For automation, ZAP presents a sophisticated API that can be used in daemon mode (which I'll come to later when discussing continuous integration [CI]) and a plugin architecture with modular components that are simple to update. ZAP includes a traditional spider (a crawler that very efficiently checks websites without complex JavaScript) and an AJAX spider that launches a browser to click through interactive parts of a site, taking a little longer than its less intelligent counterpart.

 

Use ZAP only on your own systems, or you might cause criminal damage.

 

If that list of features isn't enough, there's my favorite, "passive" scanning, which means that ZAP can isolate vulnerabilities without bringing your site to its knees. If you're feeling brave, the much less safe "active" scanning attack mode (which should only ever be used on your own sites) is equally clever, and, yes, it attacks the site with great fury and anger.

With ZAP, you can debug your code and initiate penetration testing (automated and manual). It has wide-ranging support for scripting languages, support for the API, and, if that's not enough, an auto-update option.

A marketplace for ZAP add-ons is easily accessible through a GUI interface [7]. ZAP add-ons come with a quality level, so you can choose whether to trust them implicitly or consider them "nice to have" for the future. Check the maturity of the add-ons by looking for the Alpha, Beta, or Release status.

Zapping from a Docker Container

The path of least resistance to getting started is by installing Docker on a host or virtual machine and running the ZAP Docker image as a container. Even inside complex environments, if you can open up TCP port 5900, you will be able to connect over VNC and get access to ZAP's GUI (firewalls permitting).

To get Docker installed successfully on a Debian derivative (I'm using Ubuntu on a server and Mint on a laptop) use the command

$ apt install docker.io

to install the package. You'll be glad to hear that even a cheap and cheerful AWS or Digital Ocean cloud instance will happily serve ZAP and its GUI on Docker. Some tests might take a bit longer, but certainly you won't be too put out by server specifications at first. However, you might want to up the RAM and CPU specs for CI integration. Sadly, sometimes 512MB of RAM even on Linux boxes doesn't get you very far these days if you want to run a feature-filled application.

Now it's time to drop the theory and move on to the juicy stuff. The lengthy Docker command shown below does a few things automatically and in a relatively sophisticated way:

$ docker run -u zap -p 5900:5900 -p 81:8080 -i owasp/zap2docker-stable x11vnc --forever --usepw --create

First, you can see that, from a security perspective, I'm running the Docker container application as user zap and not as root, which might help with some host security worries. Second, as mentioned before, TCP port 5900 is open to access ZAP's GUI over VNC, but you can choose an arbitrary port by adjusting the first 5900 to your preferred port. Third, because some applications (e.g., Kubernetes) need TCP port 8080, in this case, I've opened up TCP port 81 on my host, and not TCP port 8080. Finally, you might spot the mention of X11 and VNC, which, especially when you're dealing with containers, usually involves lots of heartache and effort to get working; however, ZAP is way ahead, and thankfully it just works.

On my host running Docker, it's a case of running this command and waiting for the image to get pulled down and run. When it's finished, you might get a slightly strange ioctl error (Figure 1), which is innocuous and your prompt (pun intended) to enter your TightVNC password.

Figure 1: The innocuous ioctl error password prompt; type your password when you see it.

Immediately afterward, you're asked to repeat the password and then just answer y to save the password inside the container. It's worth mentioning at this point that your container is going to be destroyed immediately after you stop it, unless you log in and run a script to get the GUI working with the -d (detach) option (Listing 1). If you're just testing the GUI to see if it is working correctly and your container will be short lived, then using a simple VNC password is fine to get you going.

Listing 1

Running a Persistent ZAP Container

root@chris:~# docker run -d -u zap -p 5900:5900 -p 81:8080 -i owasp/zap2docker-stable
03736c2a2088ef47dc4e2a82fbdf5f153e34f05834fecf23ede46c2061fda423
root@chris:~# docker exec -it 03736 bash
zap@03736c2a2088:/zap$ x11vnc --forever --usepw --create
Enter VNC password:
Verify password:
Write password to /home/zap//.vnc/passwd?  [y]/n y
Password written to: /home/zap//.vnc/passwd
[snip...]
The VNC desktop is:      03736c2a2088:0
PORT=5900

Assuming your firewalls and the planets are aligned correctly, it's a case of installing a package called xtightvncviewer and pointing it at the preset PORT in the output in Listing 1. I'm using Debian Mint, so I just run a command to install the simple viewer:

$ apt install xtightvncviewer

Now all you need to do is point xtightvncviewer at your server's IP address. You don't even have to add a colon and a port number in the terminal if you haven't changed the default port from 5900. (I recommend you change the default port for extended use to mitigate automated attacks on the well-known TCP 5900 port, which, believe me when I say, has some unwelcome history.) If you don't add an IP address, you'll see an old X Windows-style dialog box, but for ease, assuming you've stuck with TCP port 5900, simply type the following line in a new terminal, inserting your IP address instead of <1.2.3.4>:

$ xtightvncviewer <1.2.3.4>

If you'd like more Docker information, you'll find more options on the GitHub page [8].

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

SysAdmin Day 2017!

  • Happy SysAdmin Day 2017!

    Download a free gift to celebrate SysAdmin Day, a special day dedicated to system administrators around the world. The Linux Professional Institute (LPI) and Linux New Media are partnering to provide a free digital special edition for the tireless and dedicated professionals who keep the networks running: “10 Terrific Tools."

Special Edition

Newsletter

Subscribe to ADMIN Update for IT news and technical tips.

ADMIN Magazine on Twitter

Follow us on twitter