System Requirements for OWASP ZAP

[NigelWittshire]

Greetings, all.

I've been using OWASP ZAP for about a year or so, and I believe I have a fairly good understanding of its operation when using it for DAST.  We are now in the process of migrating from our current DAST system to ZAP, and I've been testing automation with ZAP via Docker containers running on a lap ESXi-based RHEL 8 server with <100GB storage, 2 CPU cores, and 4GB memory.  I ran into an incident where some scans would run indefintely, and run the /var filesystem out of space, making the system unreachable.

For our production-ready systems that we're planning to build, I'd like to get an idea of what we should have for system requirements (we're looking at having multiple RHEL8 VMs built to perform these scans, both scheduled, as well as ad-hoc, most likely using Docker.

Any thoughts about this?

Thank you for your time.

[Simon Bennetts]

Hiya,

Its really difficult for us to give advice on what the System Requirements are for ZAP because it depends so much on what you are using it for and what your apps look like.

We know it will run on a Raspberry Pi: https://www.zaproxy.org/blog/2022-08-25-zap-on-raspberry-pi/

But I really wouldnt want to use that for a production system!

My best advice is to try it with the type of tasks you expect to use it for and see :)

Cheers,

Simon

[NigelWittshire]

I use RPi hosts for Docker-based network services on my home network, but those aren't enterprise-ready, as mentioned.  I'm using the full_scan script provided in the official Docker image.

Does that help?

[kingthorin+owaspzap]

For context, 4GB is the min requirement for RHEL 8 alone: https://www.linuxtechi.com/rhel-8-installation-steps-screenshots/

Elsewhere, 1.5GB per logical CPU: https://access.redhat.com/articles/rhel-limits#minimum-required-memory-3 So 2 cores would be 3, if your 2 cores are hyper-threaded then 6GB....

[NigelWittshire]

The box that I'm running on is just a lab VM for a POC, so the production hosts will have substantially more resources.  We have several hundred web apps (to start) for which we will be performing weekly DAST scans.  We're thinking at least three VMs running Docker, or perhaps some dedicated microservice resources in our Tanzu environment to host the ZAP scans.