Security Scanner
OWASP ZAP Security Tests in Azure DevOps
OWASP ZAP in CI/CD
In the past, security was stuck in the final stage of development, meaning that it was shifted quite right. That was not as problematic when development cycles lasted so long. However, nowadays, DevOps is getting faster and faster but security is lagging behind. To overcome this issue, security should be shifted as left as possible. Thus, you should put a security stage during your build so as to achieve a far more secure environment. Here come some open source tools for this approach one of which is Owasp Zap.
OWASP ZAP is an open-source tool for security testing. It helps us to find different types of vulnerabilities such as SQL Injection, Cross-Site Scripting, etc. You can take a look at the link here to see all the attacks Owasp Zap performs.
During a CI/CD process, it is wise to use Owasp Zap just after building your image from your source code. For this, after the image is created and pushed to registry you need to add an Owasp Zap scan test. Then you will be able to see the vulnerabilities in your app before it is in production.
Here I will demonstrate how to use Owasp Zap in an Azure Devops pipeline in two different but kind of similar ways.
1) Security Testing with Owasp Zap container
1. Download the file(xml_to_nunit.xslt) in the link here and then put it into your repository
2. Go to the Pipelines section in Azure DevOps and then select New Pipeline
3. Then select Azure Repos Git
4. Select your repository
5. Select Starter Pipeline
6. Delete the contents of this pipeline
7. After you deleted the contents, add resources section at the beginning of your pipeline
8. Set trigger and configure stage and job for the pipeline
9. Add pool to the pipeline
10. Check out the repo and the pipeline itself
11. How will you be able to test your app? First, you need to run your application which was containerized before in detached mode on a specific port so that the Owasp Zap scanner can perform attacks on that port and scan your app
12. Then run Owasp Zap container. Be careful NOT to run it in detached mode
Here, as can be seen it runs a Full Scan which runs the ZAP spider against the target. This means that the script performs “real attacks” and can run for a long period of time. Not ideally suited for CI, but is a useful tool for release-gates.
You can change the scan type to Baseline Scan by changing
zap-full-scan.pytozap-baseline.pyin the code above. Baseline Scan runs the ZAP spider against the target for 1 minute, meaning that the script doesn’t perform any “real attacks”.This scan runs on the pool agent. That is why you needed to run your application on this host in order for Owasp to scan it via the container port.
13. We need a PowerShell script to convert the report file
The ZAP scanner includes several reporting options. None of which are useful to teams. With the help of powershell script below, we will be able to obtain a much more useful report.
14. Last but not least, add a Publish Test Results task to convert the report file into Nunit format
15. The overall pipeline yaml file should look like this:
16. Click on the “Tests” section next to “Summary” once the execution of the pipeline finishes
17. Then you will see the test results
Note: Ignore the warnings that were created during “Publish Test Results” task
2) Security Testing with Owasp Zap Task
1. Follow the previous steps 2, 3, 4, 5, 6
2. Set trigger and configure stage and job for the pipeline
3. Add pool to the pipeline
4. Checkout the pipeline
5. Run your app in detached mode on a specific port to test your containerized application
6. Add “Owasp Zap Scanner” extension to the pipeline
7.1. Add Owasp Zap Scanner task to your pipeline
Here, as can be seen it runs a Full Scan which runs the ZAP spider against the target. This means that the script performs “real attacks” and can run for a long period of time. Not ideally suited for CI, but is a useful tool for release-gates.
You can change the scan type to Baseline Scan by changing the aggressive mode to false. Baseline Scan runs the ZAP spider against the target for 1 minute, meaning that the script doesn’t perform any “real attacks”.
The “Failure Threshold” indicates the score that the pipeline will begin to fail at. By default, the scan will be run in port 80 on the host agent, but you can change it to the port of your container. That is why you needed to run your application on this host in order for Owasp to scan it via the container port.
7.2. You can add the Owasp Zap Scanner task via the “Tasks” panel
8. To be able to see the report that Owasp Zap scan produced, use this script
9. Use the handlebars template and JSON report from the Owasp ZAP scan to generate a report in NUnit format and then add Publish Test Results task
10. The overall pipeline yaml file should look like this
11. After executing the pipeline, you can see the test results
Note: Ignore the warnings that were created during “Publish Test Results” task
Conclusion:
As discussed at the beginning of this article, the whole purpose here is to shift security left as much as possible. Instead of accumulating all the work at the end of the production and causing the security team to look over every little security detail in the process, it would be wise to divide the responsibility among the other teams in the production cycle. With the help of this kind of approach, everyone in the production cycle will be far more careful with their actions since it is now one of their responsibility to look over all types of security flaws in their work.
