DevSecOps: Integrating OWASP ZAP with GitLab, Calliope.pro functional tests and Slack notifications for reporting
This blog was written by both Satheesh Kumar & Marudhamaran Gunasekaran
A short while ago, we were working with this particular software development team that was working on DevSecOps with Mobile Applications, lots of APIs with a cross-functional mix of API developers, Android and iPhone developers, QA personnel, architects, UI and UX folks and so on. We base our security consulting using the DevOn’s Continuous Software Security Maturity Model, and three months into the engagement (after some training and initial security assessments) it was time to plug in basic security scan as a part of the automation strategy.
Let’s get right to it. The development team that was working with GitLab for version control and Integration needs, with Calliope.pro as their test automation, and of course Slack for chatting (read as collaborating).
Here’s what we wanted to do:
- Start OWASP ZAP
- Use the matured API automated test suite that the team has developed via Calliope.pro
- Let the automated tests proxy their traffic through OWASP ZAP
- Wait for the functional automated tests to complete
- Start active scan with OWASP ZAP (with the API-keys and session tokes that were proxied through OWASP ZAP)
- Send the scan report to Slack
Well, there is many ways to do this, below is the way we chose to get up and running fast with minimal cost of setting and configuring all the nuts and bolts that work together.
Create a test job as “api-tests-proxy” that would run when triggered from Calliope.pro. This test job starts OWASP ZAP to listen on port 8090, then starts the functional automation suite whose traffic is proxied through 8090 to that OWASP ZAP could read the traffic, starts the active scan module of OWASP ZAP using the ZapScan.py file, then uploads the report to Slack.
Write the ZapScan.py script to start the OWASP ZAP active scan, extract reports and publish message to Slack
Create and run the new test profile in Calliope.pro
That’s it. Now according to the schedule set in the test runner calliope.pro, the tests will run and reports will be published to the slack channel as intended
The above OWASP ZAP scan is not complete security scanning, nor is it fool proof security testing in any way. The described steps is just a small stepping stone in the entire DevSecOps transformation. The people that receive these reports need to know what’s a High, Medium, Low, or need to have the resources (for example access to a security professional or someone with the security knowledge) to decipher these reports and understand them.