Featured image of post OWASP tools Integration into the DevOps pipeline
OWASP Web Security Cybersecurity Open Source Penetration Testing Secure Coding Testing

OWASP tools Integration into the DevOps pipeline

Guide and Command Cheatsheet for DevOps

How to Integrate All OWASP Tools into Your DevOps Pipeline

Introduction

Security is like an onion—lots of layers, and sometimes it makes you cry if you ignore it. Enter OWASP, the Open Worldwide Application Security Project. OWASP provides a broad set of tools to help secure web applications against malicious actors, vulnerabilities, and data breaches.

In this article, we’ll explore how to integrate OWASP tools into your DevOps pipeline, specifically for applications written in C#, Python, Go, and Java.

What is OWASP?

OWASP (Open Worldwide Application Security Project) is a non-profit foundation that works to improve software security. Their resources, like the OWASP Top 10, are widely adopted standards in the industry.

OWASP provides free, open-source tools to test, secure, and monitor web applications throughout their development lifecycle.

Key OWASP Tools and Their Purposes

1. OWASP ZAP (Zed Attack Proxy)

  • Purpose: Web application penetration testing.
  • Languages: Language-agnostic, can test any web app accessible via HTTP/HTTPS.
  • Database Compatibility: Any database if exposed via a web interface.

2. OWASP Dependency-Check

  • Purpose: Detect known vulnerabilities in dependencies.
  • Languages: Java, .NET (C#), Python, Ruby, Node.js.
  • Database Compatibility: Language-dependent.

3. OWASP Dependency-Track

  • Purpose: Continuous analysis of component dependencies.
  • Languages: Java, C#, Python.
  • Database Compatibility: PostgreSQL.

4. OWASP Defectdojo

  • Purpose: Vulnerability management.
  • Languages: Python (Django-based), integrates with various tools.
  • Database Compatibility: PostgreSQL, MySQL.

5. OWASP CSRFGuard

  • Purpose: Protect against Cross-Site Request Forgery (CSRF).
  • Languages: Java.
  • Database Compatibility: N/A (middleware-level protection).

6. OWASP ModSecurity Core Rule Set (CRS)

  • Purpose: Web Application Firewall (WAF) rules.
  • Languages: Language-agnostic (works with web servers).
  • Database Compatibility: N/A.

7. OWASP AMASS

  • Purpose: Network mapping and attack surface discovery.
  • Languages: Go.
  • Database Compatibility: N/A.

8. OWASP Security Shepherd

  • Purpose: Training and awareness.
  • Languages: Java.
  • Database Compatibility: MySQL.

Integrating OWASP Tools into DevOps Pipelines

C# Web Applications

Key Tools: OWASP ZAP, Dependency-Check, Dependency-Track, Defectdojo, ModSecurity CRS.

1. OWASP ZAP

  • Install: choco install owasp-zap
  • Integrate into CI/CD pipeline:
1
2
3
4
5
6

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run OWASP ZAP
        run: zap-baseline.py -t https://yourapp.com

2. OWASP Dependency-Check

  • Install: dotnet tool install --global dotnet-dependency-check
  • Run: dotnet dependency-check .

3. OWASP Dependency-Track

  • Run as Docker container: docker run -d -p 8081:8081 dependencytrack/frontend

Python Web Applications

Key Tools: OWASP ZAP, Dependency-Check, Defectdojo, AMASS.

1. OWASP ZAP

  • Install: sudo apt install zaproxy
  • Run in pipeline:
1
2
3
4
5
6

jobs:
  zap_scan:
    runs-on: ubuntu-latest
    steps:
      - name: Run OWASP ZAP
        run: zap-baseline.py -t https://yourapp.com

2. OWASP Dependency-Check

  • Install: pip install safety
  • Run: safety check

3. OWASP Defectdojo

  • Deploy via Docker: docker-compose up -d

Go Web Applications

Key Tools: OWASP ZAP, Dependency-Check, AMASS.

1. OWASP ZAP

  • Run as a Docker container:
1

docker run -u zap -v $(pwd):/zap/wrk/:rw -t owasp/zap2docker-stable zap-baseline.py -t https://yourapp.com

2. OWASP Dependency-Check

  • Install: go get github.com/owasp/dependency-check
  • Run: dependency-check --project myapp

3. OWASP AMASS

  • Install: go install github.com/OWASP/Amass/v3/...
  • Run: amass enum -d yourdomain.com

Java Web Applications

Key Tools: OWASP ZAP, Dependency-Check, Dependency-Track, CSRFGuard, Security Shepherd.

1. OWASP ZAP

  • Run via Maven:
1
2
3
4
5

<plugin>
  <groupId>org.owasp</groupId>
  <artifactId>zap-maven-plugin</artifactId>
  <version>1.0.0</version>
</plugin>

2. OWASP Dependency-Check

  • Run: mvn dependency-check:check

3. OWASP CSRFGuard

  • Add as dependency:
1
2
3
4
5

<dependency>
  <groupId>org.owasp.csrfguard</groupId>
  <artifactId>csrfguard</artifactId>
  <version>4.0.0</version>
</dependency>

4. OWASP Security Shepherd

  • Deploy with Docker: docker-compose up -d

Understanding the What and the Where of the Tool Results

Npw lets deal with the results(reporting) of the tools

So far, we explored how to integrate OWASP tools into your DevOps pipeline.

Now comes the fun part: understanding the results these tools generate.

If security is a game of hide-and-seek, these tools help you find vulnerabilities before attackers do.

Understanding the Results

1. OWASP ZAP (Zed Attack Proxy)

Output: HTML, XML, or JSON reports detailing potential security issues.

Key Metrics:

  • High, Medium, Low, and Informational vulnerabilities.
  • Descriptions of issues like SQL Injection, XSS, and missing security headers.
  • Remediation suggestions.

Viewing the Results:

  • Open the report in a web browser for an easy-to-read interface.
  • Use zap-cli to automate report extraction in your CI/CD pipeline.

Interpreting Results:

  • Focus on High/Medium vulnerabilities first.
  • Look for recurring patterns—these might indicate systemic issues.

2. OWASP Dependency-Check

Output: Reports in HTML, CSV, or JSON formats.

Key Metrics:

  • CVE Identifiers: Known vulnerabilities found in dependencies.
  • CVSS Scores: Severity of vulnerabilities.
  • Dependency Path: Which component introduced the vulnerability.

Viewing the Results:

  • Open the HTML report or integrate with Jenkins for an automated dashboard.

Interpreting Results:

  • Prioritize dependencies with high CVSS scores.
  • Update or replace vulnerable libraries as soon as possible.

3. OWASP Dependency-Track

Output: Interactive dashboards via a web interface.

Key Metrics:

  • BOM (Bill of Materials) analysis.
  • Vulnerabilities per component.
  • Policy violations.

Viewing the Results:

  • Access the dashboard through the configured URL.

Interpreting Results:

  • Track components with critical vulnerabilities.
  • Set up notifications for policy violations.

4. OWASP Defectdojo

Output: Web-based interface with aggregated vulnerability data.

Key Metrics:

  • Findings grouped by severity.
  • Tool-specific results.
  • Engagement summaries.

Viewing the Results:

  • Log into the Defectdojo dashboard.

Interpreting Results:

  • Look for common vulnerability patterns.
  • Use tagging to track issues across multiple applications.

5. OWASP CSRFGuard

Output: Log files indicating blocked requests and configuration details.

Key Metrics:

  • Blocked request logs.
  • Generated tokens.

Viewing the Results:

  • Inspect server logs.

Interpreting Results:

  • Ensure legitimate requests aren’t being blocked.
  • Monitor for repeated attack attempts.

6. OWASP ModSecurity Core Rule Set (CRS)

Output: Logs within web server logs (e.g., Apache or Nginx).

Key Metrics:

  • Blocked requests.
  • Triggered rules.

Viewing the Results:

  • Check /var/log/modsec_audit.log.

Interpreting Results:

  • Identify patterns in attack vectors.
  • Adjust rules for legitimate traffic if necessary.

7. OWASP AMASS

Output: Console output and JSON reports.

Key Metrics:

  • Discovered domains.
  • Network mapping.

Viewing the Results:

  • View results in terminal or JSON files.

Interpreting Results:

  • Investigate unknown subdomains.
  • Track potential attack surfaces.

8. OWASP Security Shepherd

Output: Interactive UI for security training performance.

Key Metrics:

  • User performance metrics.
  • Challenge completion statistics.

Viewing the Results:

  • Access via the web dashboard.

Interpreting Results:

  • Identify gaps in security knowledge.
  • Tailor future training based on results.

Keeping OWASP Tools Updated

Like milk, security tools have an expiration date if you don’t update them regularly. Here’s how to keep them fresh:

1. Automate Updates

  • Use package managers (e.g., choco, pip, go get, apt, maven) to schedule updates.
  • Add update steps in CI/CD pipelines.

2. Monitor Official Sources

  • Subscribe to OWASP mailing lists and GitHub repositories.

3. Test After Updates

  • Run tests after tool updates to catch compatibility issues.

Update Commands:

  • ZAP: sudo apt update && sudo apt upgrade zaproxy
  • Dependency-Check: dependency-check.sh --updateonly
  • Defectdojo: docker-compose pull && docker-compose up -d
  • AMASS: go install github.com/OWASP/Amass/v3/...

Putting the Tool Results to Practical Use

Introduction

Congratulations!

You’ve integrated OWASP tools into your DevOps pipeline and now you know how to get to the reports and data from these tools.

Now comes the essential step: putting all that data to practical use.

Security tools are only as effective as the insights they provide and how you act on those insights.

Part 1: Reviewing OWASP Tool Results for Each Build

Step 1: Centralize the Data

Security data from multiple tools can quickly become overwhelming. The first step is to centralize results into a single dashboard.

  • Use tools like OWASP Defectdojo, Elasticsearch, Splunk, or Grafana.
  • Set up integrations so that results from ZAP, Dependency-Check, Dependency-Track, AMASS, etc., all flow into one place.

Example Configuration (Defectdojo)

1

docker-compose up -d
  • Ingest results using APIs:
1

curl -X POST "https://defectdojo.local/api/v2/import-scan/" -H "Authorization: Token YOUR_TOKEN" -F "file=@zap_report.json"

Step 2: Organize the Data

Group vulnerabilities by:

  • Severity: Critical, High, Medium, Low.
  • Type: SQL Injection, XSS, CSRF, etc.
  • Tool: Identify which tool detected the issue.

Pro Tip: Use tags to correlate findings across tools.

Step 3: Establish a Review Process

Schedule regular security reviews:

  • After every build.
  • Before major releases.
  • After significant code changes.

Tool-Specific Viewing Tips:

  • OWASP ZAP: Check for anomalies in automated baseline reports.
  • Dependency-Track: Review the component inventory for outdated libraries.
  • AMASS: Analyze domain discovery results for unexpected domains.

Part 2: Detecting Errors and Critical Warnings

Step 1: Define Error Conditions

Identify the error conditions to watch for, such as:

  • High/Critical vulnerabilities.
  • Failed tool executions.
  • Patterns of repeated attacks (e.g., multiple SQL injection attempts).

Step 2: Implement Log Monitoring

Use tools like Prometheus and Grafana to monitor log files in real-time.

Prometheus Configuration Example:

1
2
3
4
5
6

scrape_configs:
  - job_name: 'zap_logs'
    static_configs:
      - targets: ['localhost:9090']
    file_sd_configs:
      - files: ['/var/log/zap/zap.log']

Step 3: Add Alerting Rules

Define alerts in Prometheus for error conditions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

alerting:
  alertmanagers:
    - static_configs:
        - targets: ['localhost:9093']
  rules:
    - alert: HighSeverityVuln
      expr: zap_vulnerabilities{severity="high"} > 0
      for: 5m
      labels:
        severity: critical
      annotations:
        summary: "High severity vulnerability detected"

Part 3: Sending Email Notifications

Step 1: Choose an Email Service

Popular options:

  • SMTP (Simple Mail Transfer Protocol)
  • SendGrid
  • Amazon SES

Step 2: Set Up Email Alerts

Prometheus Alertmanager can send emails when conditions are met.

Example Configuration:

1
2
3
4
5
6
7
8

receivers:
- name: 'email'
  email_configs:
    - to: 'security_team@company.com'
      from: 'alerts@company.com'
      smarthost: 'smtp.company.com:587'
      auth_username: 'alerts@company.com'
      auth_password: 'your_password'

Step 3: Test the Alert System

Generate a test vulnerability and confirm that an alert is sent.

Pro Tip: Simulate incidents quarterly to ensure the system works.

Part 4: Best Practices for Practical Data Utilization

  1. Automate Data Collection: Manual processes don’t scale.
  2. Prioritize Vulnerabilities: Focus on critical and high-severity issues first.
  3. Correlate Across Tools: Cross-reference results to detect complex attack patterns.
  4. Integrate Security Early: Implement security checks in early pipeline stages.
  5. Establish a Feedback Loop: Share findings with developers.
  6. Track Trends Over Time: Identify patterns and recurring vulnerabilities.
  7. Update Tools Regularly: OWASP tools need to be current to detect new threats.
  8. Document Processes: Maintain clear documentation for security workflows.
  9. Regularly Train Teams: Keep everyone aware of new threats.
  10. Simulate Attacks Periodically: Run internal red-team exercises.

Part 5: Real-World Examples Found on the Interwebs…

  1. Netflix: Uses OWASP ZAP for automated API security testing.
  2. Etsy: Leverages Dependency-Track to manage open-source dependencies.
  3. Spotify: Implements AMASS for domain enumeration.
  4. Uber: Integrates Defectdojo into its CI/CD pipelines.
  5. GitHub: Relies on Dependency-Check to monitor libraries.
  6. Google: Analyzes security training with Security Shepherd.
  7. Microsoft: Employs ModSecurity CRS on Azure services.
  8. Amazon: Tracks dependency vulnerabilities across microservices.
  9. Airbnb: Uses OWASP ZAP with their continuous delivery pipelines.
  10. Shopify: Implements comprehensive security dashboards with Grafana.
© 2001 - 2025 Brian Braatz Blog