Overview
The purpose of this feature is to utilize the OWASP ZAP project to identify potential security risks/vulnerabilities.
NOTE: the FOLIO project has run ZAP scans in the past, but it's been a long time. There's also the feeling that we can get more out of this tool with some effort.
What is ZAP?
From https://www.zaproxy.org/getting-started/:
Zed Attack Proxy (ZAP) is a free, open-source penetration testing tool being maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for testing web applications and is both flexible and extensible.
At its core, ZAP is what is known as a “man-in-the-middle proxy.” It stands between the tester’s browser and the web application so that it can intercept and inspect messages sent between browser and web application, modify the contents if needed, and then forward those packets on to the destination. It can be used as a stand-alone application, and as a daemon process.
Scope
- Investigate, learn, and document ZAP.
- What knobs can be adjusted to better suite our needs?
- Can ZAPs extensibility be leveraged for higher quality, more complete scans?
- Design and implement processes and/or automation to periodically run ZAP scans.
- Incorporate this into the flower release cycle/bugfest?
- Periodically run this against nightly-built environments?
- What happens when issues are identified?
- Notification/alerting mechanisms? Email? Slack? Other?
- Automatic JIRA creation?
- Something else?
- Use ZAP!
- Manual scans in the short-term
|