ZAP provides automated security tests in continuous integration pipelines

Always On

The Client Is Always Right

If you need to make any complex changes to your configuration files, you should consider making changes like adding credentials for a login in the fully blown GUI (over VNC or otherwise) and then exporting them to a file so you can use them in the API afterward.

To install the Python client, run the pip command:

$ pip install python-owasp-zap-v2.4

Don't be too put off if a search within your distribution's package manager (e.g., Apt or Yum) for the pip package offers unusual results. My results reported in the package description that v2.4 was version 2.6, which confused me about the possibility of API versus client version incompatibilities.

After you've started a set of tests, you can return to the browser user interface that's offered by the API and enter a scanID, which then returns JSON-style output giving a percentage of the scan under the key status. Take note that the AJAX spider is different and only reports a running status, as opposed to a percentage, until it's completed.

Markups

Once you've grasped the API, you can produce some shiny, useful reports to complement your testing strategy, and there's certainly no harm in compressing and archiving them for future reference. The marvel that is ZAP offers XML and HTML output with simple scripting examples to add to your arsenal.

Additionally, you can produce alert-only reports that boil down the results to display just the salient details. In addition to paging through alerts, the API lets you stop ZAP dead in its tracks if it's hit a fatal error, should it ever find something too nasty to continue. 

 

ZAP is a potentially destructive tool, so choose your target URLs with great care, unless you want to find out how good you look in an orange jumpsuit.

 

Other reports include status responses from the API for logins and logouts, scan statistics, and active scan results. You can even tune your timeouts meticulously and make sure any problematic tests don't prevent other tests from completing.

The End

The deeper you delve into your application with ZAP tests, the richer the results you receive. ZAP encourages you to run unit tests proxied through ZAP for best results. As mentioned, over time, the eventual maturity of your tests will provide greater efficacy.

If you want to continue learning about ZAP, refer to the OWASP page with video help [1]. The User Guide link on that page jumps to the GitHub page [12], which is the official site and the most useful starter page, for beginners.

For up-to-date images, you can swap stable in the image name with weekly for a newer, slightly unstable version of ZAP for your automation needs; you would then run the owasp/zap2docker-weekly image instead. Not only do ZAP's developers recommend doing this for automated testing, they have a good historical failure rate on weekly releases, so they're probably quite safe.

Used internally and integrated with your pipeline, ZAP is a genuinely powerful addition to any CI setup. At the risk of sounding like a stuck record, you should pay close attention to how you're using ZAP and only aim it at systems you own. As you continue to use it, pay heed to the fact that the maturity of tests are what counts.

I'm looking forward to learning more about ZAP. It's a relatively safe bet that your organization will thank you for deploying ZAP today and then again at some point in the future when it keeps a potentially expensive mistake from making it into production.

Special Thanks

This article was made possible by support from Linux Professional Institute

The Author

Chris Binnie's latest book, Linux Server Security: Hack and Defend , shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also talks you through making your servers invisible, performing penetration testing, and mitigating unwelcome attacks. You can find out more about DevSecOps and Linux security on his website, http://www.devsecops.cc.

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs



Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.

Learn More”>
	</a>

<hr>		    
			</div>
		    		</div>

		<div class=