Finally after 10 years, the OWASP ZAP community has a conference of their own. It was awesome. The presentations covered many of the best practices used by the ZAP community for ZAP automation features, various configuration options, and running ZAP to test the security web and mobile applications.
There were so many great technical presentations during the day. However, a few techniques and features were particularly exciting and new.
Let’s talk about ‘em!
ZAP Automation Framework
Ever wish you could write more YAML? This is your chance. Check out the ZAP Automation Framework add-on from the marketplace. With this add-on you can configure many of the ZAP settings without having to use the UI or script various ZAP executions from the command line. It is pretty easy to get started with this add-on. You can generate the initial configuration YAML with the command below.
$ zap.sh -cmd -autogenmax ./configuration.ymlThe only hard part is finding the location of the zap.sh for your install.
After you’ve generated the file you can get into the file, with your text editor of choice, and edit the url and other values to improve the scan results. Once you’ve configured the scan you can run it using your shiny new YAML file with the following command.
$ zap.sh -cmd -autorun ./config.ymlThe new ZAP Automation Framework add-on works great with existing add-ons, like the ones for OpenAPI and Report Generation. The whole configuration can be provided as, you guessed it, YAML! Here is what some of that would look like in action.
- type: spider
parameters:
context: my-app
url: http://example.com
- type: activeScan
parameters:
context: my-app
- type: openapi
parameters:
apifile: api-definition.yaml
- type: report # Report generation
parameters:
template: traditional-html
If you dig all this sweet YAML and you’d like more info about the ZAP Automation Framework, you can watch the whole presentation over here.
🤖 Using Robot Framework to Run ZAP
We all know that automation is coming to all areas of our daily work. The Robot Framework hastens this process by allowing developers to define simpler domain specific languages that look more like natural language for teams who want to write automation without learning to code.
This presentation by the amazing Abhay Bhargav covered the RoboZAP project that can be used for automating ZAP during the QA process. Imagine running ZAP using something like the script below.
Start ZAP
start headless zap ${ZAP_PATH}
sleep 30
zap open url ${ZAP_target}
...Using this more natural language syntax makes ZAP automation easier. You can check out all the options that RoboZAP supports over in their documentation. Using the Robot Framework and ZAP looks really easy and definitely recruits more folks into the automation process.
What’s Next?
There were many other topics covered throughout the day. You can test mobile applications with ZAP, run ZAP in CI/CD and even use ZAP with intelligent fuzzers.
We also learned that Stackhawk makes it easy to integrate ZAP into the development process, so that you can fix security bugs before they reach production.
All the great talks couldn’t fit into one day of ZAPCon. So the team decided that the fun will continue in after-hours events over the coming weeks. The next one will be, “Starting a Security Program on a Shoestring (with ZAP)” by Brian Myers on Tuesday, March 30, 8 AM PT.
Hope to see you there! 🦅 #Kaakaww
