ZAPCon 2021:
ZAP Automation at Scale


Ron Perris|March 26, 2021

ZAPCon 2021 is in the books! Over 2,000 people from 80+ countries registered to dive deeper into ZAP and AppSec.

Finally after 10 years, the OWASP ZAP community has a conference of their own. It was awesome. The presentations covered many of the best practices used by the ZAP community for ZAP automation features, various configuration options, and running ZAP to test the security web and mobile applications.

There were so many great technical presentations during the day. However, a few techniques and features were particularly exciting and new.

Let’s talk about ‘em! 

Find and Fix Application Security Vulnerabilities with Automated Testing

ZAP Automation Framework

Ever wish you could write more YAML? This is your chance. Check out the ZAP Automation Framework add-on from the marketplace. With this add-on you can configure many of the ZAP settings without having to use the UI or script various ZAP executions from the command line. It is pretty easy to get started with this add-on. You can generate the initial configuration YAML with the command below.

$ -cmd -autogenmax ./configuration.yml

The only hard part is finding the location of the for your install.

After you’ve generated the file you can get into the file, with your text editor of choice, and edit the url and other values to improve the scan results. Once you’ve configured the scan you can run it using your shiny new YAML file with the following command.

$ -cmd -autorun ./config.yml

The new ZAP Automation Framework add-on works great with existing add-ons, like the ones for OpenAPI and Report Generation. The whole configuration can be provided as, you guessed it, YAML! Here is what some of that would look like in action.

- type: spider                       
      context: my-app                        

 - type: activeScan
      context: my-app

- type: openapi 
      apifile: api-definition.yaml
- type: report                       # Report generation
      template: traditional-html

If you dig all this sweet YAML and you’d like more info about the ZAP Automation Framework, you can watch the whole presentation over here.

🤖 Using Robot Framework to Run ZAP

We all know that automation is coming to all areas of our daily work. The Robot Framework hastens this process by allowing developers to define simpler domain specific languages that look more like natural language for teams who want to write automation without learning to code.

This presentation by the amazing Abhay Bhargav covered the RoboZAP project that can be used for automating ZAP during the QA process. Imagine running ZAP using something like the script below.

Plain Text
Start ZAP
	start headless zap ${ZAP_PATH}
	sleep 30
	zap open url ${ZAP_target}


Using this more natural language syntax makes ZAP automation easier. You can check out all the options that RoboZAP supports over in their documentation. Using the Robot Framework and ZAP looks really easy and definitely recruits more folks into the automation process.

Ready to Test Your App

What’s Next?

There were many other topics covered throughout the day. You can test mobile applications with ZAP, run ZAP in CI/CD and even use ZAP with intelligent fuzzers.

We also learned that Stackhawk makes it easy to integrate ZAP into the development process, so that you can fix security bugs before they reach production. 

All the great talks couldn’t fit into one day of ZAPCon. So the team decided that the fun will continue in after-hours events over the coming weeks. The next one will be, “Starting a Security Program on a Shoestring (with ZAP)” by Brian Myers on Tuesday, March 30, 8 AM PT.

Hope to see you there! 🦅 #Kaakaww

Ron Perris  |  March 26, 2021