Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »

Content

Overview

Date

2023-11-14

Status

Release

Test Type

Automated Security Testing

Test Topic

Security

Context

Tester

SolDevelo

Methodology

SAST

-

DAST

In our approach to Dynamic Application Security Testing (DAST), we have chosen to utilize OWASP ZAP, a widely recognized open-source web application security scanner. OWASP ZAP is specifically designed for testing web applications and offers a variety of features and tools to identify potential security vulnerabilities.

Introduction to OWASP ZAP

OWASP ZAP (Zed Attack Proxy) is part of the OWASP (Open Web Application Security Project) tools, known for their reliability and effectiveness in the field of web security. It is designed to automatically find security vulnerabilities in web applications while they are running, making it a suitable choice for DAST.

Utilization of OWASP ZAP in Our Testing

For our testing purposes, we adhere to the following procedure:

  1. Use of Default Policy:

    • For our DAST process, we use the default scan policy of OWASP ZAP. This policy covers a wide range of typical vulnerabilities found in web applications, ensuring our scanning process is thorough and effective. For further details about our scanning approach, please refer to the "SAST/DAST Requirements" article, which provides more comprehensive information.

  2. Dedicated Repository for Testing:

    • We have established a separate repository, openimis-dynamic-application-security-testing, specifically for conducting Dynamic Application Security Testing. This repository is central to our DAST process.

    • The application build process occurs in the openimis-dist_dkr repository. Here, we pull the latest version of the application, configure the necessary environment (including setting up the .env file), and deploy the application using Docker Compose.

    • This approach allows us to maintain a clear separation between the application building and security testing processes, ensuring a structured and focused DAST workflow.

  3. Performing the Analysis:

    • Once the application is running in its dockerized environment, OWASP ZAP performs an automated security analysis on it.

    • The target for the analysis is the running instance of the application, typically accessed at http://localhost:80.

    • This setup ensures that the security analysis is performed in an environment that closely mirrors the production setup, providing accurate and relevant security insights.

Conclusion

By integrating OWASP ZAP into our DAST methodology, we aim to proactively identify and mitigate security vulnerabilities in the openIMIS application. This approach aligns with industry best practices for web application security and contributes to the robustness and reliability of our application.

Result Summary

SAST

-

DAST

Remediation

SAST

-

DAST

Report

SAST

-

DAST

  • No labels

Did you encounter a problem or do you have a suggestion?

Please contact our Service Desk


This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. https://creativecommons.org/licenses/by-sa/4.0/