OWASP and Dynamic Analyzers

cloud#azure#secops

3 min read

easy
Pub. on 2022-12-14

Let's explore OWASP and Dynamic Analyzers for penetration testing and secure coding.

In this article, we'll talk about the following:

  1. OWASP and Dynamic Analyzers
  2. Planning & Implementing OWASP Secure Coding Practices
  3. Compliance with code bases
Secure Coding Practices

Open Web Application Security Project (OWASP) is a global nonprofit organization focused on improving software security, and we love them because they regularly publish a set of secure coding practices, consistent with the following:

  • Input Validation
  • Output Encoding
  • Authentication and Password Management
  • Session Management
  • Access Control
  • Cryptographic Practices
  • Error Handling and Logging
  • Data Protection
  • Communication Security
  • System Configuration
  • Database Security
  • File Management
  • Memory Management
  • General Coding Practices

OWASP also publishes an intentionally vulnerable web application called The Juice Shop Tool Project to learn about common vulnerabilities and see how they appear in applications.

For more info, look at the following:

OWASP ZAP Penetration Test

ZAP is a free penetration testing tool consistent with an API and a weekly docker container image to integrate into your deployment process.
OWASP ZAP VSTS Extension has details on setting up the integration. The application CI/CD pipeline should run within a few minutes, so you don't want to include any long-running processes.
The baseline scan is designed to identify vulnerabilities within a couple of minutes, making it a good option for the application CI/CD pipeline.
The Nightly OWASP ZAP can spider the website and run the full-Active Scan to evaluate the most combinations of possible vulnerabilities.
OWASP ZAP can be installed on a machine in the network, but it's better to use the OWASP Zap weekly docker container within Azure Container Services.
It allows for the latest updates to the image - thus enabling the spin-up of multiple image instances so several applications within an enterprise can be scanned simultaneously.
The following figure outlines the steps for the Application CI/CD pipeline and the longer-running Nightly OWASP ZAP pipeline:

OWASP ZAP Results and Bugs

Once the scans have been completed, the Azure Pipelines release is updated with a report inclusive of the results and bugs created in the team's backlog.
Resolved bugs will close if the vulnerability has been fixed and move back into in-progress if the vulnerability still exists.
The benefit of using this is that the vulnerabilities are created as bugs that provide actionable work that can be tracked and measured.
False positives can be suppressed using OWASP ZAP's context file, so only valid vulnerabilities are surfaced.
Even with continuous security validation running against every change to help ensure new vulnerabilities aren't introduced, hackers continuously change their approaches, and new vulnerabilities are being discovered.
Azure provides several tools that provide monitoring, detection, prevention, and alerting using rules (e.g. OWASP Top 10) and machine learning to detect anomalies and unusual behavior to help identify attackers.
Minimize security vulnerabilities by taking a holistic and layered approach to security, including secure infrastructure, application architecture, continuous validation, and monitoring.
DevSecOps practices enable your entire team to incorporate these security capabilities in the whole lifecycle of your application.

References
  1. OWASP
  2. AZ-400: OWASP and Dynamic Analyzers
** THE END **