June 25, 2020 // By Bill Roske
“Information is power”, as the saying goes, and crooks are always looking for more. Stories of security and data breaches are all too common these days. As software quality engineers we cannot all drop what we are doing and become security or “penetration testing” experts. But fear not! There IS something we can do.
The Open Web Application Security Project (OWASP) publishes a list of the Top 10 security vulnerabilities of web applications. Most developers know (or should know) about this list. But do they know when a change they made opens up a vulnerability on that list? Wouldn’t it be great if there was a way that we could monitor the application under test WHILE we test and identify some of these vulnerabilities, automatically?
There is! OWASP makes available an open source security testing tool called the Zed Attack Proxy (ZAP). It can monitor all web traffic between a browser (or web API test) and the underlying services, identifying all the security risks it sees. Installing ZAP as a proxy behind your browser takes seconds and allows you to test your application (manually or with automation) as you normally would. At the end of your testing session you can generate a report that identifies specific risks, by risk level, with references and suggested solutions.
ZAP has a BUNCH more capability than that. It can even perform an automated attack on your application. **NOTE: Do NOT do this without explicit permission and advisement from your security team. It WILL set off alarms you didn’t even know existed! (speaking from the experience of “a friend”😊) It’s not my intent to produce a tutorial on the use of ZAP in this forum. OWASP has done an excellent job of that, available at the link I mentioned above.
Injecting ZAP into your functional and regression testing can provide information to developers early in the development process and prevent an embarrassing and costly vulnerability in your application. It’s not a silver bullet! It doesn’t take the place of a thorough security testing strategy. However, the cost is minimal and the information generated is invaluable.
Remember: “Information is Power.” Power to the team!!