adessoTurkey
Published in

adessoTurkey

Security Scanner

OWASP ZAP Security Tests in Azure DevOps

OWASP ZAP in CI/CD

Owasp Zap is the world’s most widely used open source web app scanner tool
www.zaproxy.org

In the past, security was stuck in the final stage of development, meaning that it was shifted quite right. That was not as problematic when development cycles lasted so long. However, nowadays, DevOps is getting faster and faster but security is lagging behind. To overcome this issue, security should be shifted as left as possible. Thus, you should put a security stage during your build so as to achieve a far more secure environment. Here come some open source tools for this approach one of which is Owasp Zap.

OWASP ZAP is an open-source tool for security testing. It helps us to find different types of vulnerabilities such as SQL Injection, Cross-Site Scripting, etc. You can take a look at the link here to see all the attacks Owasp Zap performs.

During a CI/CD process, it is wise to use Owasp Zap just after building your image from your source code. For this, after the image is created and pushed to registry you need to add an Owasp Zap scan test. Then you will be able to see the vulnerabilities in your app before it is in production.

Here I will demonstrate how to use Owasp Zap in an Azure Devops pipeline in two different but kind of similar ways.

1) Security Testing with Owasp Zap container

1. Download the file(xml_to_nunit.xslt) in the link here and then put it into your repository

2. Go to the Pipelines section in Azure DevOps and then select New Pipeline

3. Then select Azure Repos Git

4. Select your repository

5. Select Starter Pipeline

6. Delete the contents of this pipeline

7. After you deleted the contents, add resources section at the beginning of your pipeline

8. Set trigger and configure stage and job for the pipeline

9. Add pool to the pipeline

10. Check out the repo and the pipeline itself

11. How will you be able to test your app? First, you need to run your application which was containerized before in detached mode on a specific port so that the Owasp Zap scanner can perform attacks on that port and scan your app

12. Then run Owasp Zap container. Be careful NOT to run it in detached mode

Here, as can be seen it runs a Full Scan which runs the ZAP spider against the target. This means that the script performsreal attacks” and can run for a long period of time. Not ideally suited for CI, but is a useful tool for release-gates.

You can change the scan type to Baseline Scan by changing zap-full-scan.py to zap-baseline.py in the code above. Baseline Scan runs the ZAP spider against the target for 1 minute, meaning that the script doesn’t perform any “real attacks”.

This scan runs on the pool agent. That is why you needed to run your application on this host in order for Owasp to scan it via the container port.

13. We need a PowerShell script to convert the report file

The ZAP scanner includes several reporting options. None of which are useful to teams. With the help of powershell script below, we will be able to obtain a much more useful report.

14. Last but not least, add a Publish Test Results task to convert the report file into Nunit format

15. The overall pipeline yaml file should look like this:

16. Click on the “Tests” section next to “Summary” once the execution of the pipeline finishes

17. Then you will see the test results

Note: Ignore the warnings that were created during “Publish Test Results” task

2) Security Testing with Owasp Zap Task

1. Follow the previous steps 2, 3, 4, 5, 6

2. Set trigger and configure stage and job for the pipeline

3. Add pool to the pipeline

4. Checkout the pipeline

5. Run your app in detached mode on a specific port to test your containerized application

6. Add “Owasp Zap Scanner” extension to the pipeline

7.1. Add Owasp Zap Scanner task to your pipeline

Here, as can be seen it runs a Full Scan which runs the ZAP spider against the target. This means that the script performsreal attacks” and can run for a long period of time. Not ideally suited for CI, but is a useful tool for release-gates.

You can change the scan type to Baseline Scan by changing the aggressive mode to false. Baseline Scan runs the ZAP spider against the target for 1 minute, meaning that the script doesn’t perform any “real attacks”.

The “Failure Threshold” indicates the score that the pipeline will begin to fail at. By default, the scan will be run in port 80 on the host agent, but you can change it to the port of your container. That is why you needed to run your application on this host in order for Owasp to scan it via the container port.

7.2. You can add the Owasp Zap Scanner task via the “Tasks” panel

8. To be able to see the report that Owasp Zap scan produced, use this script

9. Use the handlebars template and JSON report from the Owasp ZAP scan to generate a report in NUnit format and then add Publish Test Results task

10. The overall pipeline yaml file should look like this

11. After executing the pipeline, you can see the test results

Note: Ignore the warnings that were created during “Publish Test Results” task

Conclusion:

As discussed at the beginning of this article, the whole purpose here is to shift security left as much as possible. Instead of accumulating all the work at the end of the production and causing the security team to look over every little security detail in the process, it would be wise to divide the responsibility among the other teams in the production cycle. With the help of this kind of approach, everyone in the production cycle will be far more careful with their actions since it is now one of their responsibility to look over all types of security flaws in their work.

Resources:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store