Overview
While FOLIO has used the OWASP ZAP tool in the past, it was a long time ago, and the sentiment among the Security Team is that we can likely get more out of ZAP.
The purpose of this spike is to research/investigate/explore ZAP and document answers to the following:
- What types/classes of vulnerabilities can/should the project expect ZAP to identify?
- What "knobs/dials" can be adjusted to better suite FOLIO's needs?
- Can ZAPs extensibility be easily leveraged to provide higher quality, more complete results?
- How might FOLIO incorporate ZAP into new or existing automation?
- Does it make sense to incorporate ZAP scans into:
- The flower release cycle? (e.g. against bugfest)
- Regularly run automation? (e.g. against nightly built environments – on a nightly/weekly/monthly basis)
- How, where can/should we keep scan results for tracking and historic purposes?
- How long should we retain scan results?
- Should scan results be publicly accessible? Kept private until after review by the Security Team?
- Is it possible that ZAP scans could interfere with regular use/testing of the system being scanned? If so, how might we mitigate the impact of this?
- What is the expected duration for ZAP scans, given various configurations?
Acceptance Criteria
- Spike findings are documented on the wiki and shared with the Security Team
- User stories are created/updated with details and/or references to existing or newly generated documentation
|