[Looking for feedback] Zap As A Service

85 views
Skip to first unread message

Varun K

unread,
Oct 10, 2021, 1:31:17 PM10/10/21
to OWASP ZAP Developer Group
Hi all,

I recently developed automation framework for ZAP at scale. I am calling it ZaP As A Service. Though ZAP runs perfectly fine for scanning few requests it's hard to scan about few 1000s of requests which I have to do.

Though ZAP provide APIs, one major limitation for me is that single ZAP instance cannot handle multiple sessions. So I have created ZaaS which runs along with ZAP on a Kubernetes cluster with as many pods as you like. 

ZaaS takes care of storing information required for scans, scheduling scans and sends output to registered webhook. Currently for me. it's scaling really well when I scan 1000s of requests while autoscaling ZAP instances on pods.

Here is my architecture diagram, appreciate your feedback on the idea and architecture. Will make it open source soon.

zaas.png

Best,
Varun.

Varun K

unread,
Oct 10, 2021, 1:32:23 PM10/10/21
to OWASP ZAP Developer Group
If the inserted image is not visible please find attached image here.
zaas.png

psiinon

unread,
Oct 11, 2021, 4:39:01 AM10/11/21
to OWASP ZAP Developer Group
Hiya Varun,

Looks good, and the architecture looks very sensible.
Is this something you are thinking of open sourcing?

Cheers,

Simon

Varun K

unread,
Oct 11, 2021, 10:00:01 AM10/11/21
to OWASP ZAP Developer Group
Hi Simon,

Thanks for the feedback! Yes, I am thinking of open sourcing it.

I have a working solution already, just checking for bugs and would release it soon.

Best,
Varun.

Reply all
Reply to author
Forward
0 new messages