Security in a CI/CD pipeline
Integrate OWASP ZAP into Jenkins CI/CD pipeline
Businesses would always aim to release new features faster and whilst development teams adopting Agile may have found ways around managing these demands, it is the SecOps teams that still struggle to keep up with the pace of these accelerated demands. This is due to the fact that in many cases, they are rarely carried along during the project initiation phase and many stakeholders are not patient enough to delay going live if the software fails security assessment.
A common challenge in many organizations is the lack of alignment between teams. Despite this, It is important for the Development and Tools or DevOps team to release secured software to the public. Security teams are now adopting DevSecOps practices to accelerate how they execute automated security scanning to detect possible vulnerabilities in software using the same CI/CD pipelines implemented to speed up software delivery. In this technical walkthrough, I’ll demonstrate how to integrate OWASP ZAP with Jenkins to automate vulnerability detection in applications.
Definitions
OWASP ZAP is a Dynamic Application Security Testing tool. This tool can be used against any web application component to detect vulnerabilities.
Jenkins is an open-source automation server that enables developers around the world to reliably build, test, and deploy their software. This tool rank as number 1 among the top 20 most common CICD tools on the globe as of May 2020. If you’ve been wondering why it usually comes up in any DevOps Engineering interview, now you have your answer.
Let’s Get Started
Pre-requisites
- Install Jenkins plugins: Custom Tool, HTML Publisher. Will be needed.
Steps in Summary
- Install ZAP Jenkins plugins
- Install ZAP locally. We will be doing this through Jenkins UI
- Configure ZAP Host and Port number
- Organize your Jenkins project into a folder and create a freestyle project.
- Configure build environment to install ZAP
- Perform a test. Use a sample URL
- Generate HTML report output
Follow the images below to replicate the steps in your environment.
Step 1: Install ZAP Jenkins plugins. Jenkins > Manage Jenkins > Manage Plugins
Download latest ZAP from https://www.zaproxy.org/download/
Copy the URL of the latest ZAP https://github.com/zaproxy/zaproxy/releases/download/v2.9.0/ZAP_2.9.0_Linux.tar.gz
Step 2: Install ZAP locally with Custom Tool. Goto Jenkins > Manage Jenkins > Global Tool Config > Click Add Custom Tool
Step 3: Configure ZAP Host and Port number. Goto Jenkins > Manage Jenkins > Configure System > Scroll down to ZAP
Step 4: Create a Job as a freestyle project. Back to Jenkins > Create New item > Select Freestyle project > Save > Click Build Now
Step 5: Configure build environment to install ZAP.
Goto the ZAP job you just created, e.g. in my case CICD_ZAP_Test1. Click Configure, select build environment, check install custom tools
Select Build Tab, Click Add build step, Select Execute Zap
Under the Installation Method, choose the directory where ZAP will be installed. I allowed Jenkins to install in its default directory. Note: I am assuming you don’t have ZAP already installed.
Installation and configuration have been completed.
Let’s Test
In the build phase, you will need to provide an App name and URL of the asset you want to test. You will need to create a Persist session in ZAP.
include in Context: http://demo.domain.com.*
demo.domain.com is the Target Application and * indicates all paths in the app.
Exclude from Context (optional): ^(?:(?!http:\/\/demo.domain.com).*).$
Under Attack Mode section, specify starting point as http://demo.domain.com and select Spider Scan and Active Scan
Configure the reporting.
Finalize the test run.
RESULTS
Happy automating security scans in your Jenkins CICD pipeline.
