Introduction
Quality and security are two important aspects of software products in the current era. The time has come for new approaches to conveniently integrate quality and security, with the aim of leveraging each other’s strengths and delivering effective value to customers in a timely manner.
In this article, we will suggest a vision relating to the integrated automation field for driving by utilizing Selenium + .NET / Java API to navigate ZAP as the integration strategy to achieve both quality and security goals.
Problem Statement
- As a rapidly development environment, quality & security are almost an integral part of quality in the Software Development Lifecycle process. Automation is used during Sprints for functional testing but security testing is done by manual or other scanning tools. What if issues are not detected simultaneously and become fragmented later, which in turn impacts the deadline.
- A system with complexity in business logic & it is difficult for security tools / security tester to proactively probe through business steps (ex: a screen with many fields, accompanied by specific validation rules to be able to interact before submitting to go to other screens with similar properties or more complex business, etc and many other issues).
- A large number of existing automation scripts are operating independently and are not accompanied by security testing activities.
How to overcome
Approaches
Using Selenium to access WebDriver via a specific Proxy already set up on ZAP. Via each of automation steps conducted by Selenium, it also sends the relevant request to ZAP & will have a Passive scan by ZAP automatically – this is the Driving based on Automation steps.
Besides that, to take advantage of ZAP for other professional scans. It also has .NET / Java API which we can pick & communicate with ZAP to trigger other types of scan, ex: Spider, Ajax Spider, Active, etc – this is the Driving based on ZAP features.
==> With the thoughtful combination of these two approaches, promising effectiveness can be anticipated.
Suggest Packages
- Main Packages for .NET: Selenium Web Driver, OWASPZAPDotNetAPI
- Main Packages for Java: Selenium Java, OWASP ZAP API Client
Quick Demonstration
Run Test-Cases & Generate Report automatically:
Vision
- Early integrated security testing in projects can be considered through automation scripts written for new features.
- Take advantage of existing automation scripts from the testing team in the project to be able to re-use and run integrated with security tools to save effort on the testing aspect in general.
- Automation Testing is an essential part of the CI/CD pipeline, and it can be considered to take leverage of automation to drive security scans for higher efficiency.
Conclusion
- In the current fast-paced development environment, automation is the solution to speed up the application testing process & security testing activities can be integrated into the automation pipeline to bring further improvements in quality.
- Automation can expand the perspective on integrated connections, aiming to leverage the benefits between tools and platforms to achieve optimal quality. Utilizing communication in integrated automation will centralize testing efforts and save resources efficiently in the long term.
