# ZAP

ZAP (Zed Attack Proxy) is an open-source web application security testing tool developed by the OWASP (Open Web Application Security Project). It is widely used for identifying vulnerabilities in web applications during development and testing phases.

### Usage of ZAP in Delivery Shield

* Delivery Shield enhances the ability to assess the security posture of applications in their operational state using ZAP, by actively testing it for vulnerabilities. 
* The fetched results are available in the Post Deploy  section of the[ DBOM](https://docs.opsmx.com/opsmx-secure-software-delivery-ssd-platform/user-guide/delivery-bill-of-materials-dbom) page.
* Whenever a new image is deployed in an application service, the deploy event is received by SSD from any of the deploy tools such as Argo CD or Spinnaker or Jenkins. The endpoint details are provided in the ZAP integrator using which it runs the scan to identify any vulnerabilities.  

### To Integrate ZAP:

1. Navigate to **Setup** > **Integrations**.
2. In the **Post Deploy** panel, click ZAP.

<figure><img src="https://2047464521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MBEa1hoX6SqpDj-ymNs%2Fuploads%2FfZ40wszoJozHM7jMtXCF%2Fzap%201.png?alt=media&#x26;token=907b2708-88cd-4b6c-ab08-7d5c06f875e6" alt=""><figcaption></figcaption></figure>

3. The ZAP integration page is displayed.
4. Click **+New Account**. In the popup that appears enter the value for the following fields:

<figure><img src="https://2047464521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MBEa1hoX6SqpDj-ymNs%2Fuploads%2FD1pPkUeobFTPIT1f8Kob%2Fzap%202.png?alt=media&#x26;token=fa7162a1-ffad-4368-ba0e-977dcc558969" alt=""><figcaption></figcaption></figure>

* **Account Name** - Enter the name of your account.&#x20;
* **Service URL** - Enter the URL of the target application for the scan.&#x20;
* **Scan Policy**: Select a Scan Policy from the available options based on your specific requirements.
* **Authentication Mode**: Enable this toggle if the URL requires authentication. If the URL is unauthenticated, this toggle can be omitted.
* **Username** - Enter a username for the URL.
* **Password** - Enter a password for the URL.
* **Retries** - Enter the number of times ZAP needs to retry testing for vulnerabilities.&#x20;
* **Threshold** - Enter the number of times ZAP needs to report potential vulnerabilities
* **Delay** - Enter the delay time that ZAP should wait to start scanning after the services will be up and running.&#x20;
* **Exclude URLs** - Enter the URLs list that ZAP needs to omit during scanning.&#x20;
* **Login URL** - Enter the login URL.&#x20;
* **Username Field**: Enter the username field values as username.
* **Password Field**: Enter the password field value as the file password.
* **Login Indicator**: The login indicator value as \\\Qadmin\\\E
* **Logout Indicator**: The logout Indicator values as \\\QSign in\\\E

5. Select the **Teams** and the corresponding **Environments** from the dropdown for which you want the integration to be available. The integration will be available for the selected teams and environment only.&#x20;

   <div data-gb-custom-block data-tag="hint" data-style="info" class="hint hint-info"><p>You can select up to 5 teams for the integration to be displayed. </p></div>

   * A sample is given below for reference:

   <figure><img src="https://lh7-rt.googleusercontent.com/docsz/AD_4nXeuMZQzZsZQuulVdW9B9OuffNPoEXqbcpcAkYtKVyb7YiTQxbVIt1L4Gh-zshqX2J9MFKIat8x4oWFIGxdg3j1XVagyUNhUAlD_52soyMyd1cy53p6XiYi0LsTjIBfHcybRWl61?key=D9EXoOdGF7oYOBvYaW2GnRWJ" alt=""><figcaption></figcaption></figure>

   * In the example above,&#x20;
     * if **Team 1**, **Team 2**, and **Team 3** are selected, only applications associated with these teams can access the integration. Any applications belonging to other teams, such as **Team 4**, will not have access to this account.
     * Even if the user who created this account is also an admin for **Team 4**, the integration account remains restricted and is not available for **Team 4**.&#x20;
     * Access to the account is strictly limited to the specified **Teams** and **Environments** selected during account creation.
   * **For Organization Admins:**
     * When an **Organization Admin** creates an account without selecting specific **Teams** and **Environments**, the account will be universally applicable, granting access to **all teams** and **all environments** by default.
   * **For Team Admins with Multiple Teams:**<br>
     * If a **Team Admin** who manages multiple teams creates an account without specifying particular **Teams** and **Environments**, the account will only be accessible to the teams for which the logged-in user holds admin privileges.
6. Click **Test** to check if the entered values are valid. If the given values are valid, a popup appears indicating it.&#x20;
7. Once validated, click **Save**. The tool is connected.
8. After the integration is successful, a popup success message appears at the top right corner of the page,  indicating ZAP integrator is connected and account is listed under the ZAP integrator.

<figure><img src="https://2047464521-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MBEa1hoX6SqpDj-ymNs%2Fuploads%2FrxbEbYPsXUzhuWskZXEy%2Funknown.png?alt=media&#x26;token=4012618f-4e87-4062-a563-7114097acd76" alt=""><figcaption></figcaption></figure>