DevSecOps: CI/CD Web Application Testing Using Jenkins and OWASP ZAP.

Published in

The Startup

7 min readAug 11, 2020

In a development environment, developers work on building applications using a native code language and share it on GitHub for other developers in a team to review, strengthen, and expand the application. During the process, periodic testing of the software is performed to ensure the product functionality and robustness of application against cyber attacks.

How can development and other operations be achieved in a time-efficient fashion?
DevSecOps is a set of practices that work to automate and integrate the processes between software development and IT teams, so they can build, test, and release applications faster and more reliably.

Here I will demonstrate a simpler workflow, using open-source DevSecOps tools. (All the tools are deployed in Debian (Linux distro) .

Jenkins: Installation

Jenkins is a free and open source automation server. It helps automate the parts of software development related to building, testing, and deploying, facilitating continuous integration and continuous delivery.

Apache Maven:

Maven is a build automation tool used primarily for Java projects. Maven can also be used to build and manage projects written in C#, Ruby, Scala, and other languages.

Apache Tomcat: Installation (DOCKER)

Apache Tomcat is an open-source implementation of the Java Servlet, Java Server Pages, Java Expression Language, and WebSocket technologies. Tomcat provides a “pure Java” HTTP web server environment in which Java code can run.

OWASP ZAP:

The OWASP Zed Attack Proxy is a Java-based tool that comes with an intuitive graphical interface, allowing web application security testers to perform fuzzing, scripting, spidering, and proxying in order to attack web apps. Being a Java tool means that it can be made to run on most operating systems that support Java. It is one of the most active Open Web Application Security Project projects

1.CONFIGURATIONS.

1.1 Configuring jenkins instance.
Once after jenkins installation.

systemctl start jenkins

Navigate to the browser,

localhost:8080

For first time users, you will be asked to enter the secret key and the path of the key location will be provided in the same web page.
Then install all the recommended plugins.

Navigate to Manage jenkins-> Manage plugins -> available.

Install all the following plugins without restarting:
1. deploy to container.
2.Maven integration plugin
3. Delivery pipeline plugin
4.custom tools plugin
5.OWASP zap
6.HTML publisher plugin

1.2 Starting and configuring Tomcat. (assuming that docker is already installed in the system)

docker container run — name cat8 -d -p 8888:8888 tomcat:8.0

Now tomcat can be viewed from the browser,

localhost:8888

configure login credentials for deploying web application on Tomcat server within the docker instance.

docker exec -it cat8 bash
nano tomcat-users.xml

Fig.1.2 starting tomcat server via docker

Input a username and password of your choice to login from jenkins to host the web application.

Fig.1.3 Adding username and password into tomcat-users.xml.

1.3 Configuring Maven within jenkins

Navigate to, Manage jenkins -> Global tool configuration -> add maven.

2.First job. [deploy web application to tomcat]

2.1. Creating a new job.

From the jenkins dashboard, select new item.
Enter an item name and select maven project.

2.1.3 Source code management.
Input the Github account code repository url (in which the source code of your web application is present), your user account and the specific sub-directory if any.

Fig.2.1.3 Source code management from Github.

2.1.4 Build

Enter the name of the .xml file and the command to be executed on maven.

2.1.5. Post build actions.

Select deploy war/ear to a container.
context path- folder in which the web application needs to be deployed on the Tomcat server.
Credentials- enter the credentials that was given within the tomcat-users.xml folder within the Tomcat.
And enter the URL of the Tomcat server. And save.

Fig.2.1.5. Configurations deploy on tomcat server instance.

2.2.Building the job.

Build Now

Output can be viewed under console output.
Now reload the localhost:8888 and the web application can be viewed.

All the builds/projects will be stored under the jenkins home directory.

/var/lib/jenkins/workspace/
/var/lib/jenkins/jobs/

3. OWASP zap testing in jenkins.

3.1. Configuring Custom-tool
Navigate to Manage jenkins -> global tool configurations ->Custom tool.
configure jenkins to download OWASP ZAP from the download url.

fig3.1. Download configuration for the OWASP ZAP.

Navigate to Manage jenkins -> configure system -> ZAP.
Set the host ip and the port of the host server for ZAP.

Fig.3.1.2. host and port to host owasp zap.

3.2. Web application testing- Job.
Setting up a new job to perform an active scanning on the target web application.

From the dashboard, New item -> enter a project name ->Freestyle project.

3.2.1. Build environment

Install custom tools

3.2.2.Build

Enter the type of Installation method.(Custom tools installation)
ZAP Home Directory: Enter the home path of the jenkins home directory.

Session management:
Context Name: enter the name of the web application file.(eg. index.jsp)
Include in context: enter the URL of the target web application.
(eg. http://localhost:8888/link/)

Attack Method:
Starting point: Enter the web application URL to be tested.
Active scanning attempts to find potential vulnerabilities by using known attacks against the selected targets. Active scanning is an attack on those targets.

spider Scan
Active Scan

Finalize Run:
Provide all information to generate report in HTML and XML Format. You need to give a unique filename for every iteration of scans.

3.2.3.Post-Build Action:
Add post build action -> Publish HTML reports.

Build the job and view the vulnerability report generated at the report directory within jenkins as a XML or HTML file.

4.Configure Pipeline to connect deploying and testing jobs.

4.1. Integrating the jobs.
Under the deploying job(First job), add another Post-build action to build other projects. And input the name of the testing job(testing job). This will trigger the testing job if the deployed is deployed.

4.2. Pipeline visualization.
In a more complex pipeline, it is difficult view the holistic view of the continuous pipeline. To resolve, we make use of the delivery pipeline plugin.
Navigate to the “+” icon in the jenkins dashboard, give a name for your pipeline and select Delivery pipeline view.

Next, check the box for Enable start of new pipeline build.
Navigate to components under pipelines.
Initial job: Enter the name of the First job(deploying job) that the pipeline has to start with.

Now, the created pipeline can be ran and visualized from the pipeline dash board by clicking the play icon.

5.ADVANCEMENT.

Jenkins uses a Master-Slave architecture to manage distributed builds. In this architecture, Master and Slave communicate through TCP/IP protocol. Jenkins Master. Your main Jenkins server is the Master.
Multiples Slave nodes can be deployed across a network and jobs can be distributed across multiple nodes. Similarly, Multiple slaves can be integrated into a pipeline according to their build jobs. To build a complex pipeline using multiple agents, GROOVY script is used to write the pipeline configurations.
Similar to OWASP zap, Burp Suite Enterprise Edition can be integrated with jenkins to perform web application security testing.

References:
https://dev.to/gwllmnn/automatic-security-tests-in-jenkins-with-owasp-zap-2f6b
https://medium.com/@priyank.it/owasp-zap-automated-pen-test-with-jenkins-e4f155a33f6f