Automating OWASP ZAP

A DevSecCon London 2016 workshop by Simon Bennetts The OWASP Zed Attack Proxy (ZAP) is one of the world’s most popular and best maintained free security tools. In this workshop you will learn how to automate security tests using ZAP. These tests can then be included in your continuous integration / delivery pipeline. Simon will cover the range of integration options available and then walk you through automating ZAP against a test application. The ZAP UI will be used to explain the concepts and python scripting used to drive ZAP via its API – this can then also be used to drive ZAP in daemon mode. This workshop is aimed at anyone interested in automating ZAP for security testing, including developers, functional testers (QA) and security/pentesters. Attendees who wish to try out the automation should have a laptop with the following software installed: The most recent version of ZAP (currently 2.5.0) ZAP requires Java 7+ or you can use one of the ZAP Docker images Python 2.7 and the ZAP API This is included in the ZAP Docker images The BodgeIt Store (a deliberately vulnerable application) The requires a servlet engine like Tomcat or you can use the Docker image