all you need is zap
TRANSCRIPT
All You Need Is ZaproxySecurity Testing for WebApps Made Easy12 July 2017
Twitter: @omerlhGitHub: @omerlh
Shift Left Paradigm
Build Test Deploy
Shift Left
Faster better feedback - allow to fail fast and safe
Challenges with Security Testing
● Which tests should I run?○ Static - Code analysis (SAST)○ Dynamic - Live analysis (DAST)○ Integrated - Combination (IAST)
● Let’s focus on DAST● I want a DAST solution that is:
○ Simple○ Free○ Valuable
Running the demo
Get the code:
git clone [email protected]:Soluto/webdriverio-zap-proxy.git
Run with one simple command:
docker-compose up --build --stop-on-container-exit
And watch the magic...
Docker
● The foundation of the Solution● Easily create● Easily share
Docker-Compose
● Manage multiple containers● One command to rule them all● Easily build complex deployment
OWASP Juice Shop● Demo Zap value● Intentionally insecure webapp● Official docker image
Web App
OWASP ZAP - Zed Attack Proxy
● Free & OSS security tool● Two modes:
○ Active○ Passive
● API/CLI● Official docker image (stable, also dev and weekly exist)
ZAP Proxy
Web App
● Walk Zap through our WebApp● Any automation framework could be used● Webdriver.io automation framework● Simple JavaScript API● Custom docker with our code
UI Automation Test Code
ZAP Proxy
Test Code
Web App
Want to give it a try?
Fork/Clone Modify Run in CI Relax
What now?
● Future plans:○ Alerts processing - Glue integration○ Dedicated security tests○ Integrate active mode○ Mobile?
● Other ideas:○ Zaproxy and Sawgger/OpenApi○ Use Zaproxy in black box test
Conclusion
● We wanted to build a DAST solution that is:○ Simple○ Free○ Valuable
● I hope you now know how...
Web AppZAP
ProxyUI
Automation