Application security testing with ZAP in a Docker container

Dynamic Duo

Doomed!

I hope you've enjoyed taking a very quick look at SQLi with the use of Docker containers. More to the point, however, I hope you're now sufficiently frightened enough of the freely available tools that anyone can get their hands on to put your application through its paces.

Within the right laboratory environment (a reminder that ZAP can attack and potentially break an application) these portable containers are an excellent way of checking that you've ticked lots of security checkboxes while developing your software.

I've only looked at a tiny corner of ZAP's functionality, and I'd encourage everyone to get their hands dirtier and learn more about defending against these offensive security testing tools.

Infos

OWASP Top 10: https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Mutillidae: https://github.com/webpwnized/mutillidae
WebGoat: https://www.owasp.org/index.php/Category:OWASP_WebGoat_Project
nowasp Dockerfile: https://hub.docker.com/r/citizenstig/nowasp/~/dockerfile
Change password for nowasp: https://hub.docker.com/r/citizenstig/nowasp
"ZAP provides automated security tests in continuous integration pipelines" by Chris Binnie, ADMIN , issue 41, 2017, pg. 58, http://www.admin-magazine.com/Archive/2017/41/ZAP-provides-automated-security-tests-in-continuous-integration-pipelines
OWASP ZAP: https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project

The Author

Chris Binnie's latest book, Linux Server Security: Hack and Defend , shows how hackers launch sophisticated attacks to compromise servers, steal data, and crack complex passwords, so you can learn how to defend against such attacks. In the book, he also shows you how to make your servers invisible, perform penetration testing, and mitigate unwelcome attacks. You can find out more about DevOps, DevSecOps, Containers, and Linux security on his website: https://www.devsecops.cc.

« Previous 1 2 3 4