Automated AppSec with ZAP.md - Juan-bit94/Ops401D10 GitHub Wiki

Automated AppSec with ZAP

Why does this topic matter?

  • Automated application security with tools like ZAP is essential for organizations looking to enhance the security of their software applications.
  • It improve their compliance posture, and reduce their overall risk exposure to security threats and attacks by integrating automated security testing into their development and deployment processes.
  • Organizations can build more secure and resilient software applications that protect their systems and data from cyber threats.

What are the three common stages of the Penetration Testing process and what tasks are performed at each one?

  • Here are the three common stages of the pen testing process.
  1. Explore: the tester attempts to learn about the system being tested. This includes trying to determine what software is in use, what endpoints exist, what patches are installed. It also includes searching the site for hidden content and other indications of weakness.
  2. Attack: the tester attempts to exploit the known or suspected vulnerabilities to prove they exist.
  3. Report: The tester reports back the results of their testing, including the vulnerabilities, how they exploited them and how difficult the exploits were, and the severity of the exploitation.

Explain a “main-in-the-middle proxy” in non-technical terms.

  • man in the middle proxy sits in between the sender and the website you are visiting. It intercepts the data that is sent and received. The data can be modified or even blocked from passing between a user and a website.

What are the 2 spiders available for use in ZAP?

  • ZAP provides 2 spiders for crawling web applications.
  1. The traditional ZAP spider discovers links by examining the HTML in responses from the web application.
  2. The AJAX spider is more effective for AJAX applications. Its slower than the traditional spider and requires additional configuration.

What situations are they best suited for?

  • For traditional spider, they are best suited for static web applications such as traditional HTML pages with minimal use of JavaScript.
  • AJAX spiders are used for web applications that rely on JavaScript, dynamically loaded content, and single page applications (SPAs).

Things I want to know more about.

  • Would like to know more about JavaScript security best practices in order to see how to mitigate issues.
  • I would also like to know more about reporting and remediation procedures to communicate findings to developers and stakeholders.