Automation on ZAP

Mozilla

Wed, 14 Apr 2021 00:00:00 +0000

ZAP is integral to how Mozilla secures the services powering core Firefox features including Accounts, Addons, and Sync for millions of individuals around the world. We support the open source development of ZAP, because it helps us ensure the security and privacy of our users keeping the Internet a global, public resource open and accessible to all.

Lombiq

Wed, 06 Dec 2023 00:00:00 +0000

ZAP now automatically scans our ASP.NET Core apps for each code change, and we couldn’t be happier with it.

We at Lombiq provide development, training, hosting, and consulting services for open source .NET-based technologies like the ASP.NET Core web CMS and framework Orchard Core. Our clients include Live Nation Clubs and Theaters, the Smithsonian Institution, and Microsoft itself.

Codific

Wed, 05 Jan 2022 00:00:00 +0000

Codific is a developer of secure collaboration tools in Ed Tech, MedTech and HR Tech. Our team of software engineers leverages privacy by design and security by design principles to maximize the security of the applications and the privacy of its users.

Codific leverages a security assurance programme for all product development lifecycle. There are many Application Security programmes out there with OWASP SAMM being by far the simplest of them. SAMM consists of 15 security practices with Secure Deployment and Security Testing amongst them. Both security practices in their higher maturity levels require the use of a dynamic application security testing (DAST) integrated in the CI/CD pipeline. After a time-boxed research into a number of DAST tools we have selected ZAP as our weapon of choice.

we45 and AppSecEngineer

Wed, 11 Aug 2021 00:00:00 +0000

We at we45 and our training venture, AppSecEngineer use and train on ZAP extensively. We strongly believe ZAP to be the most programmable DAST tool in its class, regardless of commercial or OSS alternatives.

One of the things we do with our clients is to implement continuous DAST scanning as part of their DevSecOps initiatives. Many of our clients run a bevy of automated scans on a periodic basis, triggered through CI tooling with ZAP as the tool. For some of those that have End-to-End Test Automation Scripts with Selenium, Cypress, etc, we set up ZAP to be able to run authenticated, completely automated scanning, which is something we find unique in the DAST space

Orange Business Services

Wed, 21 Jul 2021 00:00:00 +0000

At OBS, we strive continually to bring our customers peace of mind with strengthened and reinforced application security.

As part of automating our web application and API security, we chose to deploy ZAP as one of our Dynamic Application Security Testing (DAST) technologies. This DevSecOps approach helps our developers and engineering teams to detect vulnerabilities, including the OWASP Top Ten Web and API, in CI/CD pipelines before releasing our solutions.

Banzai Cloud

Wed, 14 Apr 2021 00:00:00 +0000

At Banzai Cloud we use our dast-operator which leverages ZAP to run baseline scans against the services we deploy on the K8S cluster. This operator deploys ZAP to the K8S cluster and initiates automated security testing for web applications and APIs based on OpenAPI definitions. Besides the operator responsible for starting the scan against a service, it can prevent opening a vulnerable service to outside. The prevention mechanism is based on the built-in admission controller which is watching the ingress resources. The admission controller checks the backend services of the ingress and makes a decision depending on the result of the ZAP scans.

Motorola Solutions

Wed, 14 Apr 2021 00:00:00 +0000

Motorola Solutions follows S-SDLC (secure software development lifecycle) best practices for our product development. Similarly, these best practices can be found in another OWASP project, the Software Assurance Maturity Model. We build our software development approach on the OWASP SAMM, to ensure delivery of secure products, from architecture design to the deployment in our own or customer’s infrastructure.