Secure Continuous Integration Part 1: OWASP ZAP Tutorial

If you are reading this OWASP ZAP tutorial, it is because you, like me, are passionate about security and also have a deep love for the overall software development life cycle.

One of the most common questions that come up when we are thinking about making our software secure, from design to deployment, is, “Where do we start?”

Well, you can start in your design or planning session, but my recommendation is to start in the continuous integration process. Why? Because in a DevOps environment, you use your CI process every day, and you can get quick feedback regarding your website’s vulnerabilities.

According to the OWASP Latam Tour 2018 presentation called “Reduzca la fricción del escaneo de vulnerabilidades en integración continua,” you can enhance the security of your continuous integration process by executing the following steps:

 

Secure Continuous Integration

Figure 1. A high-level diagram of secure continuous integration process.

 

Analyze your current DevOps pipeline:

DevOps pipeline

 

Is your continuous integration process building a website?

Are you executing automated tests as part of the continuous integration process?

If both answers are “yes,” keep reading.

continuous integration process

In our example, we use WebDriver.IO for automated test execution. Selenium has the feature of accepting a proxy as part of the web tests.

automated test execution

vulnerability assessmentWith this feature, we can leverage a tool like ZAP, which has a command line interface that can be used as a proxy to analyze the vulnerabilities of web pages.

By including ZAP in the equation, you will be able to get test and vulnerability assessment results at the same time when the build process is done.

 

Implementation prerequisites:

Implement a source control repositoryfor example, Git. If you don’t have Git, here is a detailed installation guide: Git

Make sure you have a continuous integration tool such as Jenkins in place to execute your builds. To install Jenkins, follow this link: Jenkins

You need to implement a pipeline for your source code branch. A guide to creating a pipeline that integrates Git with Jenkins can be found here: Stackify

Automation is a key part of the equation. Automate your tests using the tool that best fits your needs. If you are looking for a suggestion, Selenium is a good place to start: SeleniumHQ

Make sure Python 2.7 & PIP (Python Package Management System) are installed in your machine.

Take advantage of the command line interface with ZAP: GitHub

Before we look at some code, we will need to set up some environment variables for ZAP to be able to filter all our requests,

ZAP_API_KEY='12345'
ZAP_PORT='8765'
ZAP_PATH='/Users/ZAP_2.7.0'

 

Let’s see some code:

Our first step before setting up our test is to activate zap-cli by running the following command in the terminal/CLI:

zap-cli start

After starting our ZAP client, we will use the zap-cli heartbeat to ensure that the ZAP daemon was started successfully. To do this, we can use the following command:

zap-cli status

Now that we have made sure that our OWASP ZAP daemon is running locally without any issues, we will proceed to start a new session:

zap-cli session new

You’ll need to configure the proxy for your tests:

const proxy = 'http://localhost:8765';

const proxySettings = {
  proxy: {
    httpProxy: proxy,
    sslProxy: proxy,
    ftpProxy: proxy,
    proxyType: 'MANUAL',
    autodetect: false
  },
  'chrome.switches': [
    '--ignore-certificate-errors',
  ]
};

Note that we are including a switch for Chrome, chrome.switches, to avoid security issues reported by the browser when you’re sending traffic through a proxy (ZAP). Additionally, with the port 8765, which we used as an environment variable in the first step in the package.json file of our test project, we included a shortcut to lift the tests with the proxy activated:

"scripts": {
   "security": "./node_modules/.bin/wdio conf.js --environment=web --proxy",
 },

When we execute npm start security, all the test settings will start working and running our automated tests through our proxy, OWASP ZAP, and every single request that is made will be analyzed.

Wait until your tests are done.

After all your tests are finished, you may create your vulnerability assessment report with the following command:

zap-cli report -o vulnerability.html -f html

The command-line flags sent above stand for “-output <filename>” and “- format <html>.”

Your OWASP ZAP vulnerability assessment report should look something like this:

image (18)

In this blog post, we covered vulnerability assessment integration in automated tests by using the open source tool “ZAP.” In the following blog post, we will be taking a look at continuous integration and using Docker to execute the full test.

 

Subscribe to our Blog

Kenneth Webb
Kenneth Webb
Kenneth is a Senior Software Consultant with around 14 years of experience in different industries. He is Passionate about Software Engineering and Secure Coding. In his free time he likes to spend time with his family, hike, and visit the beach.

Deliver off-the-chart results.

WordPress Video Lightbox Plugin