ZAP
Last updated
ZAP (Zed Attack Proxy) is an open-source web application security testing tool developed by the OWASP (Open Web Application Security Project). It is widely used for identifying vulnerabilities in web applications during development and testing phases.
Delivery Shield enhances the ability to assess the security posture of applications in their operational state using ZAP, by actively testing it for vulnerabilities.
The fetched results are available in the Post Deploy section of the DBOM page.
Whenever a new image is deployed in an application service, the deploy event is received by SSD from any of the deploy tools such as Argo CD or Spinnaker or Jenkins. The endpoint details are provided in the ZAP integrator using which it runs the scan to identify any vulnerabilities.
Navigate to Setup > Integrations.
In the Post Deploy panel, click ZAP.
You can use the toggle button provided below the integration tile to enable or disable it as needed.
The ZAP integration page is displayed.
Click +New Account. In the popup that appears enter the value for the following fields:
Account Name - Enter the name of your account.
Service URL - Enter the URL of the target application.
Username - Enter a username for the account.
Password - Enter a password for the account.
Retries - Enter the number of times ZAP needs to retry testing for vulnerabilities.
Threshold - Enter the number of times ZAP needs to report potential vulnerabilities
Delay - Enter the delay time that ZAP should wait to start scanning after the services will be up and running.
Exclude URLs - Enter the URLs list that ZAP needs to omit during scanning.
Click Test to check if the entered values are valid. If the given values are valid, a popup appears indicating it.
Once validated, click Save. The tool is connected.