ZAP

ZAP (Zed Attack Proxy) is an open-source web application security testing tool developed by the OWASP (Open Web Application Security Project). It is widely used for identifying vulnerabilities in web applications during development and testing phases.

Usage of ZAP in Delivery Shield

• Delivery Shield enhances the ability to assess the security posture of applications in their operational state using ZAP, by actively testing it for vulnerabilities.

• The fetched results are available in the Post Deploy section of the DBOM page.

• Whenever a new image is deployed in an application service, the deploy event is received by SSD from any of the deploy tools such as Argo CD or Spinnaker or Jenkins. The endpoint details are provided in the ZAP integrator using which it runs the scan to identify any vulnerabilities.

To Integrate ZAP:

1. Navigate to Setup > Integrations.

2. In the Post Deploy panel, click ZAP.

1. The ZAP integration page is displayed.

2. Click +New Account. In the popup that appears enter the value for the following fields:

• Account Name - Enter the name of your account.

• Service URL - Enter the URL of the target application.

• Username - Enter a username for the account.

• Password - Enter a password for the account.

• Retries - Enter the number of times ZAP needs to retry testing for vulnerabilities.

• Threshold - Enter the number of times ZAP needs to report potential vulnerabilities

• Delay - Enter the delay time that ZAP should wait to start scanning after the services will be up and running.

• Exclude URLs - Enter the URLs list that ZAP needs to omit during scanning.

• Login URL - Enter the login URL.

1. Select the Teams and the corresponding Environments from the dropdown for which you want the integration to be available. The integration will be available for the selected teams and environment only.

   You can select up to 5 teams for the integration to be displayed.

   • A sample is given below for reference:

   • In the example above,

     • if Team 1, Team 2, and Team 3 are selected, only applications associated with these teams can access the integration. Any applications belonging to other teams, such as Team 4, will not have access to this account.

     • Even if the user who created this account is also an admin for Team 4, the integration account remains restricted and is not available for Team 4.

     • Access to the account is strictly limited to the specified Teams and Environments selected during account creation.

   • For Organization Admins:

     • When an Organization Admin creates an account without selecting specific Teams and Environments, the account will be universally applicable, granting access to all teams and all environments by default.

   • For Team Admins with Multiple Teams:

     • If a Team Admin who manages multiple teams creates an account without specifying particular Teams and Environments, the account will only be accessible to the teams for which the logged-in user holds admin privileges.

2. Click Test to check if the entered values are valid. If the given values are valid, a popup appears indicating it.

3. Once validated, click Save. The tool is connected.