Security checks, reviews, and fitness functions (FOLIO-3582)

[FOLIO-3584] SPIKE - investigate OWASP Zed Attack Proxy (ZAP) Created: 16/Sep/22  Updated: 07/Sep/23

Status: Open
Project: FOLIO
Components: None
Affects versions: None
Fix versions: None
Parent: Security checks, reviews, and fitness functions

Type: Story Priority: P3
Reporter: Craig McNally Assignee: Skott Klebe
Resolution: Unresolved Votes: 0
Labels: security, security-reviewed
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original estimate: Not Specified

Issue links:
Defines
defines FOLIO-3583 OWASP Zed Attack Proxy (ZAP) Open
Sprint:
Development Team: None
Epic Link: Security checks, reviews, and fitness functions
RCA Group: TBD

 Description   

Overview

While FOLIO has used the OWASP ZAP tool in the past, it was a long time ago, and the sentiment among the Security Team is that we can likely get more out of ZAP.

The purpose of this spike is to research/investigate/explore ZAP and document answers to the following:

  • What types/classes of vulnerabilities can/should the project expect ZAP to identify?
  • What "knobs/dials" can be adjusted to better suite FOLIO's needs?
    • Can ZAPs extensibility be easily leveraged to provide higher quality, more complete results?
  • How might FOLIO incorporate ZAP into new or existing automation?
    • Does it make sense to incorporate ZAP scans into:
      • The flower release cycle? (e.g. against bugfest)
      • Regularly run automation? (e.g. against nightly built environments – on a nightly/weekly/monthly basis)
  • How, where can/should we keep scan results for tracking and historic purposes?
    • How long should we retain scan results?
    • Should scan results be publicly accessible? Kept private until after review by the Security Team?
  • Is it possible that ZAP scans could interfere with regular use/testing of the system being scanned? If so, how might we mitigate the impact of this?
    • What is the expected duration for ZAP scans, given various configurations?

Acceptance Criteria

  • Spike findings are documented on the wiki and shared with the Security Team
  • User stories are created/updated with details and/or references to existing or newly generated documentation

Generated at Thu Feb 08 23:29:12 UTC 2024 using Jira 1001.0.0-SNAPSHOT#100246-sha1:7a5c50119eb0633d306e14180817ddef5e80c75d.