Zapping Selenium - Integrating OWASP into CI/CD

Transcript

1. Zapping Selenium - Integrating OWASP into CI/CD Evan Niedojadlo eniedojadlo

   evanniedojadlo.github.io

2. What does our current test stack look like?

3. • At the moment there’s a security checklist added to

   major Jira stories • This security checklist is manually reviewed by the dev/quality team during the sprint • The issue is that this takes time and adds a constraint to our deployments, it’s also not consistent (human error) let’s automate the basic coverage What are we trying to solve?

4. • Utilize our existing automated functional test suite and get

   some basic security coverage in place to save time and effort • We already have the tests and we needed to add some security so we searched and found OWASP ZAP • OWASP ZAP offers some scripting options but we have an existing test suite What is the solution?

5. • “Selenium automates browsers. That's it! What you do with

   that power is entirely up to you. Primarily, it is for automating web applications for testing purposes, but is certainly not limited to just that. Boring web-based administration tasks can (and should!) be automated as well.” https://www.seleniumhq.org/ What is Selenium?

6. • “The OWASP Zed Attack Proxy (ZAP) is one of

   the world’s most popular free security tools and is actively maintained by hundreds of international volunteers. It can help you automatically find security vulnerabilities in your web applications while you are developing and testing your applications. It’s also a great tool for experienced pentesters to use for manual security testing.” https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project What is OWASP ZAP?

7. • Start ZAP (this can be installed on your build

   system or you can use a docker image https://hub.docker.com/r/owasp/zap2docker-bare) • Run Selenium (passive scan while this is taking place) • Wait for passive scan to complete • Start active scan (run this as default so that you can “test” it out • Wait for active scan to complete (this could take a long time, run weekly) • Retrieve alerts and reports What does the setup look like?

8. • Passive scans record the requests and responses sent to

   a web app and creates alerts for detected vulnerabilities (shorter and can run during the selenium tests) • Active scans actively modify the recorded requests and responses to determine further vulnerabilities (longer and configurable) OWASP ZAP’s Passive and Active scans

9. • Integrate this into our existing test suite using the

   page object model, pytest, selenium driver settings, headless, and fixtures (use OWASP ZAP Python API and add this to our basepage) • Post a link to the reports and results to our test automation slack channels What am I trying to do outside of the pipeline steps

10. The Selenium Guidebook by Dave Haeffner https://seleniumguidebook.com/ Linux Academy -

    DevSecOps https://linuxacademy.com/devops/training/course/name/dev-sec-ops-essentials Juice Shop https://juice-shop.herokuapp.com/#/ Agile Application Security https://www.oreilly.com/library/view/agile-application-security/9781491938836/ OWASP ZAP (support and donate to them) documentation and lots of blog posts on how to integrate with Jenkins, etc. Resources

11. /** * \ _ _ _ * \ | |

    | | | | * \\ | |__| | __ _ ___| | __ * \\ | __ |/ _` |/ __| |/ / * >\/7 | | | | (_| | (__| < * _.-(6' \ |_| |_|\__,_|\___|_|\_\ * (=___._/` \ _ _ * ) \ | | | | | * / / | | |_| |__ ___ * / > / | __| '_ \ / _ \ * j < _\ | |_| | | | __/ * _.-' : ``. \__|_| |_|\___| * \ r=._\ `. * <`\\_ \ .`-. _____ _ _ _ * \ r-7 `-. ._ ' . `\ | __ \| | | | | | * \`, `-.`7 7) ) | |__) | | __ _ _ __ ___| |_| | * \/ \| \' / `-._ | ___/| |/ _` | '_ \ / _ \ __| | * || .' | | | | (_| | | | | __/ |_|_| * \\ ( |_| |_|\__,_|_| |_|\___|\__(_) * >\ > * ,.-' >.' * <.'_.'' * <' */