Lead Image © Galina Peshkova, 123RF.com

Lead Image © Galina Peshkova, 123RF.com

ZAP provides automated security tests in continuous integration pipelines

Always On

Article from ADMIN 41/2017
Despite the abundance of tools that test code and help improve the effectiveness of a continuous integration pipeline, automated security testing is much more difficult to get right than it might appear.
     Special Thanks: This article was made possible by support from Linux Professional Institute

Commonly, a mixture of open source and expensive proprietary tools are shoehorned into a pipeline to perform tests on nightly as well as ad hoc builds. However, anyone who has used such tests soon realizes that the maturity of a smaller number of time-honored tests is sometimes much more valuable than the extra detail you get by shoehorning too many tests into the pipe then waiting three hours for a nightly build to complete. The maturity of your battle-hardened tests is key.

The tests you require might involve interrogating the quality of code from developers or checking code for licensing issues. A continuous testing strategy can be onerous to set up but brings unparalleled value to your end product, including improvements in uptime, performance, compliance, and security.

To make any of the tests you run within your pipeline useful, you should be able to integrate them with existing tools and fire them following simple event-based hooks or triggers.

Once licensing test errors are safely classed as non-fatal, for example, your code may proceed by passing a "yes" to the next phase. Later, if Ansible or Puppet reports that all changes were executed properly from your playbooks or manifests without generating unwelcome errors, you are ready for the next step. After your code has moved successfully through all the phases of testing, your changes can then be accepted into your production environment.

The popular security tool Zed Attack Proxy (ZAP) [1] is a useful addition to your continuous integration security testing strategy. According to the project website, ZAP can "help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications." My professional curiosity stems from a DevSecOps perspective and, with some tinkering, I have discovered that ZAP will help you avoid a great number of issues in your code.

Laser Beams

ZAP is brought to you by the not-for-profit organization called Open Web Application Security Project, or OWASP [2]. The ZAP security testing framework is regularly visible near the top of security tool review lists, thanks to its accessibility and its feature set.

What first piqued my interest in ZAP was its intuitive interface. Although dissimilar, it reminded me a little of WebGoat's tutorial-based approach [3]. ZAP is unquestionably a fantastic security learning tool, as well as an excellent automated testing tool. I've read before that it's ideal for beginners, but used by professionals. To my mind, that's a mantra many other software products should think of adopting.

Before you go any further, remember to try out anything and everything in a sandbox first before aiming it at any production systems. On that note, here's a genuinely serious point: ZAP is highly functional, so only use it on your own systems, or you might cause criminal damage.

It is safe to say that ZAP has been carefully considered, well devised, and expertly written. A handy Docker image comes with a GUI that you can run remotely over TightVNC [4], which I'll look at in a moment; however, first, I'll whet your appetite with some of ZAP's many features.

What's in the Box?

Worth mentioning is the superb quality of online documentation that ZAP offers, including videos and a teaser pamphlet titled "Zap" Your App's Vulnerabilities [5]. ZAP sits near the top of the stack in the Application Layer (OSI model Layer 7) [6]. Although many fantastic network security tools exist that will probe every nook and cranny of a network stack, ZAP specializes in the application vulnerabilities side, whether that's strictly Layer 7 or below.

Among ZAP's app-centric list of features is its ability to act as an intercepting proxy, which means you point your browser at it and click away merrily while ZAP tells you what's broken. You can then adjust code to remedy issues on the fly.

For automation, ZAP presents a sophisticated API that can be used in daemon mode (which I'll come to later when discussing continuous integration [CI]) and a plugin architecture with modular components that are simple to update. ZAP includes a traditional spider (a crawler that very efficiently checks websites without complex JavaScript) and an AJAX spider that launches a browser to click through interactive parts of a site, taking a little longer than its less intelligent counterpart.


Use ZAP only on your own systems, or you might cause criminal damage.


If that list of features isn't enough, there's my favorite, "passive" scanning, which means that ZAP can isolate vulnerabilities without bringing your site to its knees. If you're feeling brave, the much less safe "active" scanning attack mode (which should only ever be used on your own sites) is equally clever, and, yes, it attacks the site with great fury and anger.

With ZAP, you can debug your code and initiate penetration testing (automated and manual). It has wide-ranging support for scripting languages, support for the API, and, if that's not enough, an auto-update option.

A marketplace for ZAP add-ons is easily accessible through a GUI interface [7]. ZAP add-ons come with a quality level, so you can choose whether to trust them implicitly or consider them "nice to have" for the future. Check the maturity of the add-ons by looking for the Alpha, Beta, or Release status.

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus