Intro to ZED Attack Proxy

in a CI/CD framework

Ian T Price

  • First computer:  Commodore Pet 2001 - 1977
  • Honeywell mainframes, Amstrad PC1640, Apple II
  • Six years at Dell - Sole Unix Sys V support person
  • Security? What security?

Centreline Support

  • Consultant since 1994 @  Centreline Support
  • One man bands to FT100 companies
  • Yacht Skipper 2010-2013
  • 2013 The world of DevOps, CI/CD and 'The Cloud'
  • BM - Bare Metal
  • VM - Virtual Machines
  • Micro Services - Containers
  • Micro Processes - AWS Lamda

How can anyone manually test security on each code submit when you have hundreds of containers or thousands of processes?

Logical Progression:

What drives your security?

...and 10% of that is in the index

Only mentions secur* 44 times...

When do you consider security?

What drives your security?

  • At development stage?  

  (Dyed-in-the-wool)

  • System Function * tests?

  (Dyed-in-the-yarn)

  • Band-Aid at end?             

 (Dyed-in-the-piece)

What drives your security?

  • Dev + Ops >>

DevOps

               +  Sec >>

DevSecOps

               +  Net >>

DevSecNetOps

  • Get security in at the start
  • Continuous Integration - don't fear the auditor!
  • Changing nature of security hacks - Medical Records

Open Web Application Security Project (OWASP)

  •  Focused on improving software security
  • OWASP Top Ten
  • A1 attack is SQL Injection

OWASP Top Ten 2013

A1 - Injection

A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Components with Known Vulnerabilities

A10 - Unvalidated Redirects and Forwards

Cloud Security Alliance

Zed Attack Proxy

  • What is Zed Attack Proxy ?
  • Flagship OWASP Project
  • Automatic WebApp pentest tool
  • Good for both beginners & Advanced users
  • Wide support - Google 'Summer of Code' project

ZAP - Features

  • Requires Java
  • Open source
  • Incorporates other tools, e.g. Selenium
  • Plug-ins / Extentions ( !Plug-n-Hack )
  • Includes the essentials for WebApp testing

Zap - Use Cases

Using ZAP as a 'Point & Click' tool

  • People new to security
  • Developers QA
  • Learning about security

Zap - Use Cases

Professional Pentesters

  • Manual testing
  • Using automation to speed manual testing
  • ZEST Scripts & APIs

Zap - Use Cases

ZAP Continuous Integration

  • Proxying regression tests through ZAP
  • Jenkins plug-in

Zap - Basics

  • Works through proxy
  • Active & Passive scans
  • 'Headless mode' REST API

Pentest sites

  • Get up to speed on security testing
  • DVWA - Damn Vulnerable Web App
  • The BodgeIT Store
  • Metasploitable

Testing: Get permission!

  • It's polite
  • You will probably invalidate your tests
  • Especially AWS - Request form
  • AWS blocks malicious traffic

ZAP Demo - Manual

  • Active & passive scans
  • Injection scanning

CD Regression Test

Regression tests of a webapp driven by Selenium

CD Security Regression Test

Selenium drives regression testing via ZAP

Apps can drive the webapp direct via the ZAP API

Jenkins ZAProxy Plug-in

  • Jenkins Plug-in
  • Allows ZAP to be run from Jenkins
  • Runs ZAP scans
  • Saves reports in all ZAP formats
  • Loads and saves sessions

BDD-Security

  • BDD-Security is a testing & automation framework
  • Uses ZAP, SSLyze, Nessus & others driven by Selenium
  • Open Source
  • Maintained by co-founder of OWASP

ZAP CI/CD demo

Jenkins & BDD-Security

ZAP Web Links

ZAP Web Links

Q & A

Intro to ZED Attack Proxy

in a CI/CD framework

Ian T Price

  • First computer:  Commodore Pet 2001 - 1977
  • Honeywell mainframes, Amstrad PC1640, Apple II
  • Six years at Dell - Sole Unix Sys V support person
  • Security? What security?

Centreline Support

  • Consultant since 1994 @  Centreline Support
  • One man bands to FT100 companies
  • Yacht Skipper 2010-2013
  • 2013 The world of DevOps, CI/CD and 'The Cloud'
  • BM - Bare Metal
  • VM - Virtual Machines
  • Micro Services - Containers
  • Micro Processes - AWS Lamda

How can anyone manually test security on each code submit when you have hundreds of containers or thousands of processes?

Logical Progression:

What drives your security?

...and 10% of that is in the index

Only mentions secur* 44 times...

When do you consider security?

What drives your security?

  • At development stage?  

  (Dyed-in-the-wool)

  • System Function * tests?

  (Dyed-in-the-yarn)

  • Band-Aid at end?             

 (Dyed-in-the-piece)

What drives your security?

  • Dev + Ops >>

DevOps

               +  Sec >>

DevSecOps

               +  Net >>

DevSecNetOps

  • Get security in at the start
  • Continuous Integration - don't fear the auditor!
  • Changing nature of security hacks - Medical Records

Open Web Application Security Project (OWASP)

  •  Focused on improving software security
  • OWASP Top Ten
  • A1 attack is SQL Injection

OWASP Top Ten 2013

A1 - Injection

A2 - Broken Authentication and Session Management

A3 - Cross-Site Scripting (XSS)

A4 - Insecure Direct Object References

A5 - Security Misconfiguration

A6 - Sensitive Data Exposure

A7 - Missing Function Level Access Control

A8 - Cross-Site Request Forgery (CSRF)

A9 - Using Components with Known Vulnerabilities

A10 - Unvalidated Redirects and Forwards

Cloud Security Alliance

Zed Attack Proxy

  • What is Zed Attack Proxy ?
  • Flagship OWASP Project
  • Automatic WebApp pentest tool
  • Good for both beginners & Advanced users
  • Wide support - Google 'Summer of Code' project

ZAP - Features

  • Requires Java
  • Open source
  • Incorporates other tools, e.g. Selenium
  • Plug-ins / Extentions ( !Plug-n-Hack )
  • Includes the essentials for WebApp testing

Zap - Use Cases

Using ZAP as a 'Point & Click' tool

  • People new to security
  • Developers QA
  • Learning about security

Zap - Use Cases

Professional Pentesters

  • Manual testing
  • Using automation to speed manual testing
  • ZEST Scripts & APIs

Zap - Use Cases

ZAP Continuous Integration

  • Proxying regression tests through ZAP
  • Jenkins plug-in

Zap - Basics

  • Works through proxy
  • Active & Passive scans
  • 'Headless mode' REST API

Pentest sites

  • Get up to speed on security testing
  • DVWA - Damn Vulnerable Web App
  • The BodgeIT Store
  • Metasploitable

Testing: Get permission!

  • It's polite
  • You will probably invalidate your tests
  • Especially AWS - Request form
  • AWS blocks malicious traffic

ZAP Demo - Manual

  • Active & passive scans
  • Injection scanning

CD Regression Test

Regression tests of a webapp driven by Selenium

CD Security Regression Test

Selenium drives regression testing via ZAP

Apps can drive the webapp direct via the ZAP API

Jenkins ZAProxy Plug-in

  • Jenkins Plug-in
  • Allows ZAP to be run from Jenkins
  • Runs ZAP scans
  • Saves reports in all ZAP formats
  • Loads and saves sessions

BDD-Security

  • BDD-Security is a testing & automation framework
  • Uses ZAP, SSLyze, Nessus & others driven by Selenium
  • Open Source
  • Maintained by co-founder of OWASP

ZAP CI/CD demo

Jenkins & BDD-Security

ZAP Web Links

ZAP Web Links

Q & A