Integrating OWASP ZAP in DevSecOps Pipeline
Security and innovations have often been at contrast positions when it comes to the development of new products and services. In a Rapid Application Development Cycle (DevSecOps), security teams often initiated DAST tools to locate vulnerabilities just before the launch of a new product or a new version of the previously-launched product. This became non-scalable and extremely time-consuming, mainly with strict sprints for quick releases with no substantial long-term security-related benefits. Fortunately, there are a few tools that could automate a good part of this system.
Zed Attack Proxy (ZAP) from OWASP is one of the most widely used security scanners for applications. This manual describes the step-by-step process for integrating the OWASP ZAP plugin with Jenkins – the favourite CI/CD (Continuous Integration/Continuous Development) platform in the world.
To start with, go to Plugin Manager on Jenkins and open Available tab. Now, search OWASP in the search bar and it will show Official OWASP ZAP plugin. Select and install it.
In addition to the plugin, you will also need to install ZAP on your local plugin. You can skip this step if you already have ZAP. Go to Global Tool Configuration in Jenkins and open Custom Tool Section. Here, keep the default settings and give a name to the custom tool along with adding Download URL for binary archive and subdirectory of extracted archive. After entering these details, click on the Save button.
(You can get the download link for ZAP’s latest version from here.)
Before moving forward, you will need to configure two essential things – host and port. Go to Jenkins > Configuration and fill in two sections under ZAP – Default Host and Default Port. You can set these values as localhost and 5555 respectively. After the details have been filled, click on the Save button.
In this step, you will be creating a new project. Enter a name in the Enter an item name textbox and select Freestyle project. Click on OK to proceed further.
On this screen (shown below), click on Save to proceed to the next step.
Now, click on Build Now for creating a master machine workspace.
Go to the configuration page of your ZAP project. Go to Build Environment tab and select the option for Install custom tools and accordingly, select ZAP from the Tool Selection dropdown. Click on the Save button to save your changes.
Go to Build tab and click on Execute ZAP button. Click on the Save button to save your changes.
Under Installation Method, select Custom Tools Installation for specifying how ZAP will be installed on the master machine. You will also need to path under the ZAP Home Directory. You can also specify .ZAP as a relative path to the ZAP Home Directory. Doing so will automatically create .ZAP folder in the Jenkins Custom Tools Directory – (/var/lib/Jenkins/tools/../.ZAP/).
If you are specifying the ZAP Home Directory custom path, you will also need to make sure that Jenkins has necessary permissions to create a directory in the specified path. For example, if a Jenkins user is not allowed to create a directory on /home/, you will need to manually create a directory and change to folder owner to the said Jenkins user.
Now, for specifying the environment variable for ZAP installed path (ZAPROXY HOME) –
- Go to Jenkins > Configuration, configure the system and select Environment Variables
- In Name textbox, enter ZAPROXY_HOME and in Value textbox, enter /opt/zaproxy and save the changes.
Just like the last step, we will continue the configuration of ZAP. After selecting System Installed option, you will need to provide a path for ZAP Home Directory. It gets created automatically when you first run ZAP on your local machine. In this example, it is /home/umar/.ZAP.
So far, you have connected and configured ZAP with Jenkins to trigger it during the construction process. Now, you will need to provide application/URL information which needs to be tested. In the Build tab,
- Go to Session Management section and select Persist Session.
- Now, you will have to enter details in Filename textbox under the same section while in Context Name, Include in Context, and Exclude from Context textboxes under Session Properties
Open Attack Mode section in the Build tab and here, you will need to enter your application’s URL in Starting Point textbox. Now, select the checkboxes for Spider Scan and Active Scan. For other details, you can leave them to the default selections.
After you select the checkbox for Active Scan, it will show you a dropdown for selecting policies. If you are running ZAP for the first time, it is possible that it will only show the Default Policy option.
Go to Post-build Actions and select the given checkbox for Generate Reports in xml and html formats. For every iteration of scans, you will need to give a unique filename. You can keep the name for scans as follows –
Under the Post-build Actions tab, enter logs/*, reports/* in the textbox corresponding to Files to archive option under Archive the artifacts section. In the Publish HTML Reports section, you will necessarily need to enter three details – HTML directory to archive, Index page(s), and Report title.
In Index page(s) textbox, you will need to enter file name created in the last step along with html extension –
Click on the Save button to save your changes.
Now, you can view the Job Dashboard HTML report and other workspace archived files.
Now, go to the Trigger Build tab and select the preferred options for CI/CD pipeline under the Build Trigger section. For this example, we are selecting the checkbox alongside Build after other projects are built. Also, in the Projects to watch textbox, you will need to enter the name of your project. Now, you will have to select one of the given conditional statements below the Projects to watch textbox. Here, we are selecting Trigger only if build is stable. Click on the Save button to save your changes.
That’s it. You have successfully integrated ZAP into your Jenkins pipeline. Even after a new commit is made on the GitHub repository, the ZAP Build process will run continuously with your existing CI pipeline.
Featured image taken from @freepik.
Penetration Testing for SaaS Companies25 Apr, 2019
Penetration Testing at DevSecOps Speed15 Apr, 2019