DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Please enter at least three characters to search
Refcards Trend Reports
Events Video Library
Refcards
Trend Reports

Events

View Events Video Library

Zones

Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks

The software you build is only as secure as the code that powers it. Learn how malicious code creeps into your software supply chain.

Apache Cassandra combines the benefits of major NoSQL databases to support data management needs not covered by traditional RDBMS vendors.

Generative AI has transformed nearly every industry. How can you leverage GenAI to improve your productivity and efficiency?

Modernize your data layer. Learn how to design cloud-native database architectures to meet the evolving demands of AI and GenAI workloads.

Related

  • CI/CD Pipelines for Kubernetes Using GitLab CI
  • Pipeline as a Service: How To Test Pipelines in GitLab
  • DevOps Service Providers Facilitating ISO 27001 and GDPR Compliance for Organizations
  • How to Set Up GitLab Notifications in Telegram: A Comprehensive Tutorial

Trending

  • Building Resilient Identity Systems: Lessons from Securing Billions of Authentication Requests
  • Unlocking the Potential of Apache Iceberg: A Comprehensive Analysis
  • How to Perform Custom Error Handling With ANTLR
  • How to Ensure Cross-Time Zone Data Integrity and Consistency in Global Data Pipelines
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. Deployment
  4. DevSecOps: Integrating OWASP ZAP With GitLab and Calliope.pro

DevSecOps: Integrating OWASP ZAP With GitLab and Calliope.pro

Begin your DevSecOps transformation with this small stepping stone.

By 
Marudhamaran Gunasekaran user avatar
Marudhamaran Gunasekaran
·
Satheesh Kumar Varatharajan user avatar
Satheesh Kumar Varatharajan
·
Nov. 27, 18 · Tutorial
Likes (2)
Comment
Save
Tweet
Share
16.0K Views

Join the DZone community and get the full member experience.

Join For Free

A short while ago, we were working with a software development team that was working on implementing DevSecOps practices within their mobile applications and APIs with a cross-functional mix of API, Android, and iPhone developers; QA personnel; architects; UI and UX folks; and so on. We incorporate our security consulting using the DevOn’s Continuous Software Security Maturity Model, and three months into the engagement (after some training and initial security assessments), it was time to plug in a basic security scan as a part of the automation strategy.

Let’s get right to it. The development team that was working with GitLab for version control and integration needs, Calliope.pro for test automation, and, of course, Slack for collaborating with one another.

Here’s what we want to do:

  1. Start OWASP ZAP

  2. Use the matured API-automated test suite that the team has developed via Calliope.pro

  3. Let the automated tests proxy their traffic through OWASP ZAP

  4. Wait for the functional automated tests to complete

  5. Start active scan with OWASP ZAP (with the API-keys and session tokes that were proxied through OWASP ZAP)

  6. Send the scan report to Slack

Well, there are many ways to do this. Below is the way we chose to get up and running fast with minimal costs of setting and configuring all the nuts and bolts that work together.

Step 1

Create a test job as “api-tests-proxy” that would run when triggered by Calliope.pro. This test job requires OWASP ZAP to listen on port 8090. Then, it starts the functional automation suite, whose traffic is proxied through 8090 to OWASP ZAP so that it could read traffic, starts the active scan module of OWASP ZAP using the ZapScan.py file. It then uploads the report to Slack.

Step 2

Write the ZapScan.py script to start the OWASP ZAP active scan, extract reports, and publish the message on Slack

Step 3

Create and run the new test profile in Calliope.pro
That’s it. Now, according to the schedule set in the test runner calliope.pro, the tests will run and reports will be published to the Slack channel. 

The above OWASP ZAP scan is not a complete security scanning, nor is it foolproof security testing in any way. These described steps are just a small stepping stone in the entire DevSecOps transformation. 

OWASP ZAP GitLab

Published at DZone with permission of Marudhamaran Gunasekaran. See the original article here.

Opinions expressed by DZone contributors are their own.

Related

  • CI/CD Pipelines for Kubernetes Using GitLab CI
  • Pipeline as a Service: How To Test Pipelines in GitLab
  • DevOps Service Providers Facilitating ISO 27001 and GDPR Compliance for Organizations
  • How to Set Up GitLab Notifications in Telegram: A Comprehensive Tutorial

Partner Resources

×

Comments
Oops! Something Went Wrong

The likes didn't load as expected. Please refresh the page and try again.

ABOUT US

  • About DZone
  • Support and feedback
  • Community research
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Core Program
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 3343 Perimeter Hill Drive
  • Suite 100
  • Nashville, TN 37211
  • support@dzone.com

Let's be friends:

Likes
There are no likes...yet! 👀
Be the first to like this post!
It looks like you're not logged in.
Sign in to see who liked this post!