Link to recording: https://www.youtube.com/watch?v=AQX84p9NhqY
Link to code: https://github.com/Soluto/webdriverio-zap-proxy
DevSecOps, among other things, is also about running various security testing as part of the continues integration pipeline. Usually, people think that a good security testing tool is either expensive or complicated (and sometimes both), but it does not have to be that way. If you have an existing UI automation tests for your web app (and you probably have), you can, with a very small change, integrate it with Zaproxy. Zaproxy is a free and open source tool, developed by OWASP foundation, that (among other things) could be used to scan your web app's traffic for various security issues. In this slides, I am going to show how this is possible, and the tools I've used.
4. Shift Left Paradigm
Build Test Deploy
Shift Left
Faster better feedback - allow to fail fast and safe
5. Challenges with Security Testing
● Which tests should I run?
○ Static - Code analysis (SAST)
○ Dynamic - Live analysis (DAST)
○ Integrated - Combination (IAST)
● Let’s focus on DAST
● I want a DAST solution that is:
○ Simple
○ Free
○ Valuable
7. Running the demo
Get the code:
git clone git@github.com:Soluto/webdriverio-zap-proxy.git
Run with one simple command:
docker-compose up --build --stop-on-container-exit
And watch the magic...
13. OWASP Juice Shop
● Demo Zap value
● Intentionally insecure webapp
● Official docker image
Web App
14.
15. OWASP ZAP - Zed Attack Proxy
● Free & OSS security tool
● Two modes:
○ Active
○ Passive
● API/CLI
● Official docker image (stable, also dev and weekly exist)
ZAP
Proxy
Web App
16.
17. ● Walk Zap through our WebApp
● Any automation framework could be used
● Webdriver.io automation framework
● Simple JavaScript API
● Custom docker with our code
UI Automation Test Code
ZAP
Proxy
Test
Code
Web App
18.
19. Want to give it a try?
Fork/Clone Modify Run in CI Relax
20. What now?
● Future plans:
○ Alerts processing - Glue integration
○ Dedicated security tests
○ Integrate active mode
○ Mobile?
● Other ideas:
○ Zaproxy and Sawgger/OpenApi
○ Use Zaproxy in black box test
21. Conclusion
● We wanted to build a DAST solution that is:
○ Simple
○ Free
○ Valuable
● I hope you now know how...
Web App
ZAP
Proxy
UI
Automation