Few weeks back, I wanted to setup automated security testing for the project I am working on and add that to our release pipeline. To achieve this OWASP ZAP was the obvious option. It’s actively maintained with a lot of great features, it’s free and has an API that can be used to access its capabilities over the network.
Initially the approach I took was to create a unit test project and include OWASPZAPDotNetApi nuget package to call the API for execute scans. That process is written in this article where I explain Creating & Running Automated Security Tests on Visual Studio Team Services. These security tests were configured to run on Visual Studio Team Services.
Then I realized we can have the same capabilities of the Unit tests encapsulated in to a Visual Studio team Services task. Since there was no such task available on the Visual Studio Marketplace it was a good time to create one. After few days the initial release of the OWASP Zed Attack Proxy Task was in the Visual Studio Marketplace. Now, the version 2.0.3 is in the marketplace and in this article, I’ll take you through how to configure it to run on your build/release pipeline.
You can install the OWASP ZAP Scan Task in to your Visual Studio Team Service account from the Visual Studio Marketplace. Install the task using the following link.
Configuring OWASP Zed Attack Proxy Task
At the moment OWASP Zed Attack Proxy Task supports executing a Spider Scan and an Active Scan on a target and generating a report in HTML, XML and Markdown formats.
To configure the OWASP Zed Attack Proxy Task you will need OWASP ZAP installed and the API exposed over the internet. The following article on Installing & Configuring OWASP ZAP on an Azure Virtual Machine described how to do this. Next, we need to API Key for the ZAP API. You can get the API Key by opening up OWASP ZAP Application and navigating to Tools > Options… and on the Options dialog box click ok API menu item on the left. Then you can see the API key. Copy it and paste in as the value for the API key variable
Create a build/release definition on Visual Studio Team Services. Then you need to add the OWASP ZAP Scan Task. You can find it by searching for it or the task can be found in the Test category of tasks.
There are 3 required configuration options in the task. They can be found in the ZAP Api Configuration section. You need to provide URL of the ZAP Api (the FQDN of the API), the API Key and the target URL
In the Spider Scan Options section, you can find the configuration options for executing a spider scan. This is optional, you can opt out of running a spider scan. When you check the option to execute a spider scan, you will be presented with the configuration options available for the spider scan.
The following options are available for the spider scan.
- Execute Spider Scan: Enable to run a spider scan on the target.
- Recurse: (Optional) Enable to use the nodes underneath the one specified target to seed the spider.
- Subtree Only: (Optional) Enable to restrict the spider under the target URL subtree.
- Context Name: (Optional) Set to constrain the scan to a Context.
- Max Children to Crawl: (Optional) Set to limit the number of children scanned.
In the Active Scan Options section, you can find the configuration options for executing an Active Scan. Active scan is also optional, you can run the task without running an active scan. If you check the option to execute the active scan, you will be give then options to configure the active scan.
The following active scan options are available for you.
- Execute Active Scan: Enable to run an active scan on the target.
- Context ID: (Optional) Context identifier of the Scan context.
- Recurse: (Optional) Set recurse option to scan URLs under the given target URL.
- In Scope Only: (Optional) Set in Scope only to true to constrain the scan to URLs that are in scope (ignored if a Context is specified).
- Scan Policy Name: (Optional) Scan Policy Name allows to specify the scan policy (if none is given it uses the default scan policy).
- Method: (Optional) Allow you to select a given request in conjunction with the given URL.
- POST Data: (Optional) Allow you to select a given request in conjunction with the given URL.
Just having run an active scan is just not enough for a build/release pipeline. You should be able to break the build/release if a certain threshold of security alerts has passed. We can set this threshold by enabling Verifications.
In the Configure Verification section, you can set a threshold for each level of security alerts. Once you turn on Enable Verifications option, you will be given the following options to set the High, Medium and Low security alert thresholds.
- Enable Verifications: Enable to add thresholds for security risk types and fail the build if the threshold is exceeded.
- High Risk Alert Threshold: Number of Maximum allowed High Risk Alerts. If the number of high risk alerts equals or exceeds, the build will fail.
- Medium Risk Alert Threshold: Number of Maximum allowed High Medium Alerts. If the number of high risk alerts equals or exceeds, the build will fail.
- Low Risk Alert Threshold: Number of Maximum allowed Low Risk Alerts. If the number of high risk alerts equals or exceeds, the build will fail.
Finally, you have the option to generate reports for the scan you are doing. These options can be found in the Configure Reports section.
Here you have the options to select the type of report you want generated and the destination and a name for the report.
- Report Type: Select the type of report you want generated. Available types are HTML, XML & Markdown.
- Destination Folder: The destination folder that the report file is created. You can use variables. Eg. $(agent.builddirectory).
- Report Filename: Name of the report file, without the extension. Extension is determined by the Report Type. Eg. OWASP-ZAP-Report-2017-00-00.
Now you are ready to trigger the build/release definition. Before that, let’s add a Publish Build Artifacts task to publish the Scan Report so that we can download the report that was generated.
Configure the task to pick up the files from the path where you configured OWASP ZAP Scan Task to generate the report.
Trigger the build/release definition and wait till the scans and the verifications are complete. You should see the following console output when the task is running and completed. If the verification thresholds are exceeded, then the build will fail.
After the build is complete, go to the build summary and in the artifacts, you can download the generated report. In this scenario, I’ve configured the task to generate an HTML report.
When you download and open the report generated, you will see a report similar to the screenshot below.
As you can see, with the OWASP ZAP Scan Task for Visual Studio Team Services you can configure automated security scan without even writing a single line of code.
Contributing to the Project
The OWASP ZAP Scan Task for Visual Studio Team Services is an Open Source project. The source code for the project is hosted on GitHub. There are still features to be implemented and improvements to be made. To do that, your feedback and contributions are really important and they are most welcome. Head over to the GitHub Repository for the task, if you have any issues, report them, contribute to the project to carry it forward.
Read the Contribution Guideline to know about the practices used when contribution for the project.