ZAP provides automated security tests in continuous integration pipelines

Always On

Markups

Once you've grasped the API, you can produce some shiny, useful reports to complement your testing strategy, and there's certainly no harm in compressing and archiving them for future reference. The marvel that is ZAP offers XML and HTML output with simple scripting examples to add to your arsenal.

Additionally, you can produce alert-only reports that boil down the results to display just the salient details. In addition to paging through alerts, the API lets you stop ZAP dead in its tracks if it's hit a fatal error, should it ever find something too nasty to continue. 

 

ZAP is a potentially destructive tool, so choose your target URLs with great care, unless you want to find out how good you look in an orange jumpsuit.

 

Other reports include status responses from the API for logins and logouts, scan statistics, and active scan results. You can even tune your timeouts meticulously and make sure any problematic tests don't prevent other tests from completing.

The End

The deeper you delve into your application with ZAP tests, the richer the results you receive. ZAP encourages you to run unit tests proxied through ZAP for best results. As mentioned, over time, the eventual maturity of your tests will provide greater efficacy.

If you want to continue learning about ZAP, refer to the OWASP page with video help [1]. The User Guide link on that page jumps to the GitHub page [12], which is the official site and the most useful starter page, for beginners.

For up-to-date images, you can swap stable in the image name with weekly for a newer, slightly unstable version of ZAP for your automation needs; you would then run the owasp/zap2docker-weekly image instead. Not only do ZAP's developers recommend doing this for automated testing, they have a good historical failure rate on weekly releases, so they're probably quite safe.

Used internally and integrated with your pipeline, ZAP is a genuinely powerful addition to any CI setup. At the risk of sounding like a stuck record, you should pay close attention to how you're using ZAP and only aim it at systems you own. As you continue to use it, pay heed to the fact that the maturity of tests are what counts.

I'm looking forward to learning more about ZAP. It's a relatively safe bet that your organization will thank you for deploying ZAP today and then again at some point in the future when it keeps a potentially expensive mistake from making it into production.

The Author

Chris Binnie's latest book, Linux Server Security: Hack and Defend , shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also talks you through making your servers invisible, performing penetration testing, and mitigating unwelcome attacks. You can find out more about DevSecOps and Linux security on his website, http://www.devsecops.cc.

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus

SysAdmin Day 2017!

  • Happy SysAdmin Day 2017!

    Download a free gift to celebrate SysAdmin Day, a special day dedicated to system administrators around the world. The Linux Professional Institute (LPI) and Linux New Media are partnering to provide a free digital special edition for the tireless and dedicated professionals who keep the networks running: “10 Terrific Tools."

Special Edition

Newsletter

Subscribe to ADMIN Update for IT news and technical tips.

ADMIN Magazine on Twitter

Follow us on twitter