Code contributions to the OWASP ZAP Project. We agreed to focus on automation so that developers can run zap as part of their build tests.The code and instructions can be found here: https://github.com/zaproxy/community-scripts/tree/master/api/sdlc-integration

1. ZAP – SDLC Integration
An Intern Project

2. Objectives
• Engage and support the AppSec Community
• Fine a way to contribute to improvement of
OSS Security tools
• Focus on Integration into Developers SDLC

3. Project Diagram

4. The project is split into two parts
• run_session_setup.py is used to clean the ZAP
session and set up basic configuration - this
should be run before any scans are run (+ it
assumes that ZAP daemon is already running)
• run_scan.py contains the actual scan functions
and also posts the scan results to JIRA - it
assumes that ZAP daemon is running, session has
been set up and selenium tests have been run
(through the ZAP proxy)

5. Step 1 – Setup ZAP
• Project Setup
• Download and Install ZAP - https://github.com/zaproxy/zaproxy/wiki/Downloads
• Add ZAP root certificate to your browser - Open ZAP > Tools > Options > Dynamic
SSL Certificates > Save
• Configure your machine to use ZAP local proxy for all internet traffic
• Download the project
• Install requirements: pip install -r requirements.txt
• Modify any core/setup_module/proxy_scripts/* as needed – all files in this folder
will be used
– For instance you might want to add a CSP header to each response
• Start ZAP daemon (also see start-zap.sh script): zap.sh -daemon -port 8080 -config
api.disablekey=true &
• Setup your own selenium drivers and tests (or any other way to generate internet
traffic).

6. Usage (relevant to both modules)
• Run python scriptname.py -h to see instructions and all
available options (substitute 'run_scan.py' or
'run_session_setup.py')
• Run python scriptname.py -g rules_config.txt to
generate a template for your rule configuration file
– rules_config_demo.txt - This is what it could look like
• Change your rules_config.txt file to indicate which rules
should be ignored and which should cause the test to
fail.
• Modify core/config.py settings

7. Configuring Scan Settings – pt01

8. Configuring Scan Settings – pt02

9. Example Scan
• Run setup_module:
• To set up the session run: python
run_session_setup.py -t "www.example.com" -c
rules_config.txt -d
• Run scan_module:
• Run: python run_scan.py -c rules_config.txt -r to
execute the test and have the results posted to
JIRA (Note: You should use the same
rules_config.txt file!)

10. Usage - cont
• (optional) Run python run_session_setup.py -g
rules_config.txt to generate a template for your rule
configuration file
• (optional) Change your rules_config.txt file to indicate
which rules should be ignored and which should cause the
test to fail
• To set up the session run: python run_session_setup.py -t
"www.example.com" -c rules_config.txt -d where the -
d(debug) and -c filename flags are optional. The -t
url parameter is used to limit the proxy only to the target
domain and avoid any other internet traffic from the
machine.

11. Usage - cont
• Now you generate some internet traffic (targeting the domain you
specified with the -t flag earlier). This is the point where you should
run your Selenium tests.
• Run: python run_scan.py -c rules_config.txt -r -d to execute the test
and have the results posted to JIRA (-rflag). Note that if you use
the -c filename flag, you should use the same rules_config.txt file
you used for the session setup!)
• (optional) If you want the run_scan.py script to perform additional
spidering, specify a -x filename flag in the previous step, where the
filename points to a file that contains a set of regexes (each on a
new line) that limit the spider to particular subpaths of your site.

12. Example Scan - Snapshot

13. Example Scan – Results in Jira