Most organizations I’ve worked with often think they are concerned about security, but never actually do anything about it until right before the big production release when it’s often too late to actually make any major security changes before the big “Go/No-Go” decision. What if security was baked into our CI processes in order to ensure testing takes places during our testing efforts?
Many organizations will use some combination of unit tests and functional tests to test their application and ensure it works. For web applications, I have found tools like selenium provide a fairly robust functional testing framework to test the UI. Many organizations will also have some organization do some detailed scan of the code and application to try and pen test the application for vulnerabilities. This is not an easy task, is often time and resource intensive and the tools may not be configured to test all of the capabilities of the application. Luckily, there may be a way for you to get the most out of your testing efforts while also providing pen test results.
The Zed Attack Proxy (ZAP), an open-source tool was developed at the Open Web Application Security Project (OWASP)is a penetration testing tool used to find vulnerabilities in web applications. It is ideal for developers and functional testers as well as security experts. One of its features includes setting up ZAP as a proxy, so that it gathers information about the application as you traverse through it and access different parts of the application.
By setting up a proxy to your application and pointing your functional tests (through a tool like selenium) at your ZAP proxy, you could quickly retrieve a host of valuable security findings during your CI process with little to no effort.
