Today, when we put sensitive data online, more of our attention should be spent on the security aspects involved. We could address this in a number of ways, from the use of our own internal development team to the contracting of a group of specialized security experts with the requisite knowledge of prevailing network penetration tactics.
The problem with many developers is that they generally only have a foundational understanding of the various relevant security issues involved, which means that you will need to spend significant resources qualifying them to the desired level. In most cases, if there is no such expertise in the company it’s not implemented as a part of a CI pipeline.
Therefore, it is a common occurrence to set up and run various penetration and other testing procedures. This is usually done upon release; and, the more important the release, the more time and effort spent on penetration testing, which leaves the inevitable possibility of more issues being discovered during testing. After all of this, there is a choice to delay the release and fix the issues encountered or to postpone patching in order to meet the desired deadline of release – which will almost invariably result in an increased probability of a security incident.
This is unfortunately a vicious cycle which could be solved in many cases by the automation of penetration testing. One of the best tools for this which you should consider is OWASP ZAP.
What is OWASP ZAP?
Zed Attack Proxy (ZAP) is a free and open-source penetration testing tool maintained under the umbrella of the Open Web Application Security Project (OWASP). ZAP is designed specifically for web applications testing and is flexible and extensible. Using ZAP will allow you to intercept requests to your application, modify them, and resend them to see how the app reacts.
This tool can also be used without any setup by non-security experts. It allows you to scan your web application with preconfigured parameters to get results with a detailed explanation of any possible vulnerability. However, to be confident about your web application security level, you’ll need to understand the basics of security testing as well as know how to properly use the tool.
ZAP can be used in a variety of different ways which fit most of your application security testing needs. We’d like to highlight the following features:
The passive scan feature is ZAP’s most well-know capability. It records all requests and responses from each element of your web application and sends an alert if there is something potentially wrong with the request or response. It is advisable to have an understanding of your web application’s basic security state and to locate places where additional investigation is required.
While passive scanning doesn’t change responses and is considered safe, active scanning is aimed at finding other vulnerabilities by using known attacks against certain areas of your application. You should use caution when applying this against applications you don’t have the appropriate permissions to test – active scanning is a real attack.
Quick Start Test
Quick Start Test allows you to run checks with some default parameters. You will only need to specify the target (URL or IP address with port specified) and run it. ZAP will proceed to crawl the web application, passively scanning each page it finds. ZAP will then engage the active scanner to attack all of the discovered pages, functionalities, and parameters.
Using this tool properly will allow you to increase the security level of your web or mobile applications. Being integrated into the pipeline, it will receive prompt notifications on the availability of security updates and will make sure your app is up-to-date with the latest standards.
We’re ready to help you bring the security of your existing applications to the next level using this and many other special tools.
Stay safe with Bekitzur!