Security checks, reviews, and fitness functions (FOLIO-3582)

[FOLIO-3583] OWASP Zed Attack Proxy (ZAP) Created: 16/Sep/22  Updated: 30/Nov/23

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None
Parent: Security checks, reviews, and fitness functions

Type: New Feature Priority: P3
Reporter: Craig McNally Assignee: Unassigned
Resolution: Unresolved Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
is defined by FOLIO-3584 SPIKE - investigate OWASP Zed Attack ... Open
is defined by FOLIO-3868 Run OWASP Zed Attack Proxy (ZAP) agai... Open
Sprint:
Development Team: None
Epic Link: Security checks, reviews, and fitness functions

 Description   

Overview

The purpose of this feature is to utilize the OWASP ZAP project to identify potential security risks/vulnerabilities.

NOTE: the FOLIO project has run ZAP scans in the past, but it's been a long time. There's also the feeling that we can get more out of this tool with some effort.

What is ZAP?

From https://www.zaproxy.org/getting-started/:

Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.

At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.

Scope

  • Investigate, learn, and document ZAP.
    • What knobs can be adjusted to better suite our needs?
    • Can ZAPs extensibility be leveraged for higher quality, more complete scans?
  • Design and implement processes and/or automation to periodically run ZAP scans.
    • Incorporate this into the flower release cycle/bugfest?
    • Periodically run this against nightly-built environments?
    • What happens when issues are identified?
      • Notification/alerting mechanisms?  Email? Slack? Other?
      • Automatic JIRA creation?
      • Something else?
  • Use ZAP!
    • Manual scans in the short-term


 Comments   
Comment by Jakub Skoczen [ 24/May/23 ]

Craig McNally should we revisit this?

Comment by Craig McNally [ 24/May/23 ]

Jakub Skoczen yeah, it's been hanging out on the security team agenda for a while.  I think the problem is finding someone who has time to dedicate to this.

Comment by Craig McNally [ 24/May/23 ]

IIRC Skott Klebe did some work in this area but I don't have details handy.  I forget if anything was documented, or if it was just presented/shared with the security team.

Generated at Thu Feb 08 23:29:11 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.