DevSecOps: Integrating OWASP ZAP With GitLab and Calliope.pro

A short while ago, we were working with a software development team that was working on implementing DevSecOps practices within their mobile applications and APIs with a cross-functional mix of API, Android, and iPhone developers; QA personnel; architects; UI and UX folks; and so on. We incorporate our security consulting using the DevOn’s Continuous Software Security Maturity Model, and three months into the engagement (after some training and initial security assessments), it was time to plug in a basic security scan as a part of the automation strategy.

Let’s get right to it. The development team that was working with GitLab for version control and integration needs, Calliope.pro for test automation, and, of course, Slack for collaborating with one another.

Here’s what we want to do:

1. Start OWASP ZAP

2. Use the matured API-automated test suite that the team has developed via Calliope.pro

3. Let the automated tests proxy their traffic through OWASP ZAP

4. Wait for the functional automated tests to complete

5. Start active scan with OWASP ZAP (with the API-keys and session tokes that were proxied through OWASP ZAP)

6. Send the scan report to Slack

Well, there are many ways to do this. Below is the way we chose to get up and running fast with minimal costs of setting and configuring all the nuts and bolts that work together.

Step 1

Create a test job as “api-tests-proxy” that would run when triggered by Calliope.pro. This test job requires OWASP ZAP to listen on port 8090. Then, it starts the functional automation suite, whose traffic is proxied through 8090 to OWASP ZAP so that it could read traffic, starts the active scan module of OWASP ZAP using the ZapScan.py file. It then uploads the report to Slack.

Step 2

Write the ZapScan.py script to start the OWASP ZAP active scan, extract reports, and publish the message on Slack

Step 3

Create and run the new test profile in Calliope.pro
That’s it. Now, according to the schedule set in the test runner calliope.pro, the tests will run and reports will be published to the Slack channel. 

The above OWASP ZAP scan is not a complete security scanning, nor is it foolproof security testing in any way. These described steps are just a small stepping stone in the entire DevSecOps transformation.