All You Need is Zap

•

1 gostou•1,069 visualizações

Link to recording: https://www.youtube.com/watch?v=AQX84p9NhqY Link to code: https://github.com/Soluto/webdriverio-zap-proxy DevSecOps, among other things, is also about running various security testing as part of the continues integration pipeline. Usually, people think that a good security testing tool is either expensive or complicated (and sometimes both), but it does not have to be that way. If you have an existing UI automation tests for your web app (and you probably have), you can, with a very small change, integrate it with Zaproxy. Zaproxy is a free and open source tool, developed by OWASP foundation, that (among other things) could be used to scan your web app's traffic for various security issues. In this slides, I am going to show how this is possible, and the tools I've used.

Tecnologia

All You Need Is Zaproxy
Security Testing for WebApps Made Easy
12 July 2017
Twitter: @omerlh
GitHub: @omerlh

Shift Left Paradigm
Build Test Deploy
Shift Left
Faster better feedback - allow to fail fast and safe

Challenges with Security Testing
● Which tests should I run?
○ Static - Code analysis (SAST)
○ Dynamic - Live analysis (DAST)
○ Integrated - Combination (IAST)
● Let’s focus on DAST
● I want a DAST solution that is:
○ Simple
○ Free
○ Valuable

Running the demo
Get the code:
git clone git@github.com:Soluto/webdriverio-zap-proxy.git
Run with one simple command:
docker-compose up --build --stop-on-container-exit
And watch the magic...

DAST for WebApp
Web App
ZAP
Proxy
UI
Automation

Docker
● The foundation of the Solution
● Easily create
● Easily share

Every block is a container...
Web App
ZAP
Proxy
UI
Automation
But we have multiple containers...

Docker-Compose
● Manage multiple containers
● One command to rule them all
● Easily build complex deployment

OWASP Juice Shop
● Demo Zap value
● Intentionally insecure webapp
● Official docker image
Web App

OWASP ZAP - Zed Attack Proxy
● Free & OSS security tool
● Two modes:
○ Active
○ Passive
● API/CLI
● Official docker image (stable, also dev and weekly exist)
ZAP
Proxy
Web App

● Walk Zap through our WebApp
● Any automation framework could be used
● Webdriver.io automation framework
● Simple JavaScript API
● Custom docker with our code
UI Automation Test Code
ZAP
Proxy
Test
Code
Web App

Want to give it a try?
Fork/Clone Modify Run in CI Relax

What now?
● Future plans:
○ Alerts processing - Glue integration
○ Dedicated security tests
○ Integrate active mode
○ Mobile?
● Other ideas:
○ Zaproxy and Sawgger/OpenApi
○ Use Zaproxy in black box test

Conclusion
● We wanted to build a DAST solution that is:
○ Simple
○ Free
○ Valuable
● I hope you now know how...
Web App
ZAP
Proxy
UI
Automation

Questions?
Twitter: @omerlh
GitHub: @omerlh

Mais conteúdo relacionado

Mais de Soluto

Can Kubernetes Keep a Secret?Soluto

Kamus introSoluto

Secure Your PipelineSoluto

React new features and intro to HooksSoluto

Secure the Pipeline - OWASP Poland Day 2018Soluto

Monitoria@reversimSoluto

Languages don't matter anymore!Soluto

Security Testing for Containerized ApplicationsSoluto

Owasp glueSoluto

Unify logz with fluentdSoluto

Storing data in Redis like a proSoluto

Monitor all the thingz slideshareSoluto

Authentication without Authentication - AppSec CaliforniaSoluto

Authentication without Authentication - Peerlyst meetupSoluto

Security Testing with ZapSoluto

Authentication Without AuthenticationSoluto

Mais de Soluto (16)

Can Kubernetes Keep a Secret?

Kamus intro

Secure Your Pipeline

React new features and intro to Hooks

Secure the Pipeline - OWASP Poland Day 2018

Monitoria@reversim

Languages don't matter anymore!

Security Testing for Containerized Applications

Owasp glue

Unify logz with fluentd

Storing data in Redis like a pro

Monitor all the thingz slideshare

Authentication without Authentication - AppSec California

Authentication without Authentication - Peerlyst meetup

Security Testing with Zap

Authentication Without Authentication

Último

WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra

Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services

Apidays New York 2024 - The value of a flexible API Management solution for O...apidays

Why Teams call analytics are critical to your entire businesspanagenda

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Victor Rentea

Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays

Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub

Architecting Cloud Native ApplicationsWSO2

Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays

Exploring Multimodal Embeddings with MilvusZilliz

ICT role in 21st century education and its challengesrafiqahmad00786416

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93

FWD Group - Insurer Innovation Award 2024The Digital Insurer

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays

Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021

Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea

All You Need is Zap

1. All You Need Is Zaproxy Security Testing for WebApps Made Easy 12 July 2017 Twitter: @omerlh GitHub: @omerlh

2. The Problem

4. Shift Left Paradigm Build Test Deploy Shift Left Faster better feedback - allow to fail fast and safe

5. Challenges with Security Testing ● Which tests should I run? ○ Static - Code analysis (SAST) ○ Dynamic - Live analysis (DAST) ○ Integrated - Combination (IAST) ● Let’s focus on DAST ● I want a DAST solution that is: ○ Simple ○ Free ○ Valuable

6. Live Demo - WebApp DAST

7. Running the demo Get the code: git clone git@github.com:Soluto/webdriverio-zap-proxy.git Run with one simple command: docker-compose up --build --stop-on-container-exit And watch the magic...

8. Demo Building Blocks

9. DAST for WebApp Web App ZAP Proxy UI Automation

10. Docker ● The foundation of the Solution ● Easily create ● Easily share

11. Every block is a container... Web App ZAP Proxy UI Automation But we have multiple containers...

12. Docker-Compose ● Manage multiple containers ● One command to rule them all ● Easily build complex deployment

13. OWASP Juice Shop ● Demo Zap value ● Intentionally insecure webapp ● Official docker image Web App

14.

15. OWASP ZAP - Zed Attack Proxy ● Free & OSS security tool ● Two modes: ○ Active ○ Passive ● API/CLI ● Official docker image (stable, also dev and weekly exist) ZAP Proxy Web App

16.

17. ● Walk Zap through our WebApp ● Any automation framework could be used ● Webdriver.io automation framework ● Simple JavaScript API ● Custom docker with our code UI Automation Test Code ZAP Proxy Test Code Web App

18.

19. Want to give it a try? Fork/Clone Modify Run in CI Relax

20. What now? ● Future plans: ○ Alerts processing - Glue integration ○ Dedicated security tests ○ Integrate active mode ○ Mobile? ● Other ideas: ○ Zaproxy and Sawgger/OpenApi ○ Use Zaproxy in black box test

21. Conclusion ● We wanted to build a DAST solution that is: ○ Simple ○ Free ○ Valuable ● I hope you now know how... Web App ZAP Proxy UI Automation

22. One last word about OSS

23. Questions? Twitter: @omerlh GitHub: @omerlh

All You Need is Zap

Recomendados

Recomendados

Mais conteúdo relacionado

Mais de Soluto

Mais de Soluto (16)

Último

Último (20)

All You Need is Zap