DZone
Thanks for visiting DZone today,
Edit Profile
  • Manage Email Subscriptions
  • How to Post to DZone
  • Article Submission Guidelines
Sign Out View Profile
  • Post an Article
  • Manage My Drafts
Over 2 million developers have joined DZone.
Log In / Join
Refcards Trend Reports Events Over 2 million developers have joined DZone. Join Today! Thanks for visiting DZone today,
Edit Profile Manage Email Subscriptions Moderation Admin Console How to Post to DZone Article Submission Guidelines
View Profile
Sign Out
Refcards
Trend Reports
Events
Zones
Culture and Methodologies Agile Career Development Methodologies Team Management
Data Engineering AI/ML Big Data Data Databases IoT
Software Design and Architecture Cloud Architecture Containers Integration Microservices Performance Security
Coding Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones AWS Cloud
by AWS Developer Relations
Culture and Methodologies
Agile Career Development Methodologies Team Management
Data Engineering
AI/ML Big Data Data Databases IoT
Software Design and Architecture
Cloud Architecture Containers Integration Microservices Performance Security
Coding
Frameworks Java JavaScript Languages Tools
Testing, Deployment, and Maintenance
Deployment DevOps and CI/CD Maintenance Monitoring and Observability Testing, Tools, and Frameworks
Partner Zones
AWS Cloud
by AWS Developer Relations
The Latest "Software Integration: The Intersection of APIs, Microservices, and Cloud-Based Systems" Trend Report
Get the report
  1. DZone
  2. Testing, Deployment, and Maintenance
  3. Deployment
  4. DevSecOps: Integrating OWASP ZAP With GitLab and Calliope.pro

DevSecOps: Integrating OWASP ZAP With GitLab and Calliope.pro

Begin your DevSecOps transformation with this small stepping stone.

Marudhamaran Gunasekaran user avatar by
Marudhamaran Gunasekaran
·
Satheesh Kumar Varatharajan user avatar by
Satheesh Kumar Varatharajan
·
Nov. 27, 18 · Tutorial
Like (2)
Save
Tweet
Share
15.25K Views

Join the DZone community and get the full member experience.

Join For Free

A short while ago, we were working with a software development team that was working on implementing DevSecOps practices within their mobile applications and APIs with a cross-functional mix of API, Android, and iPhone developers; QA personnel; architects; UI and UX folks; and so on. We incorporate our security consulting using the DevOn’s Continuous Software Security Maturity Model, and three months into the engagement (after some training and initial security assessments), it was time to plug in a basic security scan as a part of the automation strategy.

Let’s get right to it. The development team that was working with GitLab for version control and integration needs, Calliope.pro for test automation, and, of course, Slack for collaborating with one another.

Here’s what we want to do:

  1. Start OWASP ZAP

  2. Use the matured API-automated test suite that the team has developed via Calliope.pro

  3. Let the automated tests proxy their traffic through OWASP ZAP

  4. Wait for the functional automated tests to complete

  5. Start active scan with OWASP ZAP (with the API-keys and session tokes that were proxied through OWASP ZAP)

  6. Send the scan report to Slack

Well, there are many ways to do this. Below is the way we chose to get up and running fast with minimal costs of setting and configuring all the nuts and bolts that work together.

Step 1

Create a test job as “api-tests-proxy” that would run when triggered by Calliope.pro. This test job requires OWASP ZAP to listen on port 8090. Then, it starts the functional automation suite, whose traffic is proxied through 8090 to OWASP ZAP so that it could read traffic, starts the active scan module of OWASP ZAP using the ZapScan.py file. It then uploads the report to Slack.

Step 2

Write the ZapScan.py script to start the OWASP ZAP active scan, extract reports, and publish the message on Slack

Step 3

Create and run the new test profile in Calliope.pro
That’s it. Now, according to the schedule set in the test runner calliope.pro, the tests will run and reports will be published to the Slack channel. 

The above OWASP ZAP scan is not a complete security scanning, nor is it foolproof security testing in any way. These described steps are just a small stepping stone in the entire DevSecOps transformation. 

OWASP ZAP GitLab

Published at DZone with permission of Marudhamaran Gunasekaran. See the original article here.

Opinions expressed by DZone contributors are their own.

Popular on DZone

  • Integrate AWS Secrets Manager in Spring Boot Application
  • Tackling the Top 5 Kubernetes Debugging Challenges
  • Cloud Performance Engineering
  • Choosing the Right Framework for Your Project
Comments

Partner Resources

X

ABOUT US

  • About DZone
  • Send feedback
  • Careers
  • Sitemap

ADVERTISE

  • Advertise with DZone

CONTRIBUTE ON DZONE

  • Article Submission Guidelines
  • Become a Contributor
  • Visit the Writers' Zone

LEGAL

  • Terms of Service
  • Privacy Policy

CONTACT US

  • 600 Park Offices Drive
  • Suite 300
  • Durham, NC 27709
  • support@dzone.com
  • +1 (919) 678-0300

Let's be friends: