Yesterday I was at a local .net group meeting. One of the presentations was about automatic tools for improving code quality. The first of the presented tools was the SonarQube that is a tool for static code analize that I know and use. The second presented tool for dynamic UI testing in terms of security was OWASP ZAP. It is a "proxy" tool, i.e. it is used to place it between the browser and the visited page, which can view or modify information sent from / to the browser. If anyone has used Fiddler, know what a "browser proxy" is (same type of tool but improved).
OWASP ZAP in the default mode is used to make the user use the page in "normal" mode, and the tool underneath checks for any security vulnerabilities. If someone uses Selenium for automatic tests, then by connecting OWASP ZAP gets additional safety tests.
It is also possible to run OWASP ZAP from the script level, which makes it possible to insert it into the CI / CD tool or to generate a weekly report. It is recommended to test on a different instance than production / test because full tests can take a long time and generate server load.
Tool is Open Source and supported by Community.
Summary:
We have 3 main modes:
- the user clicks on the page himself (useful when we have an automatic tester using Selenium)
- basic scanning mode (useful to plug into a CI / CD tool and test automatically, e.g. with a larger deploy)
- full scan mode (takes a long time, so it should be done on a separate server in a night task mode).
Brak komentarzy:
Prześlij komentarz