ZAP Scan Policies

111 views
Skip to first unread message

Simon Bennetts

unread,
Oct 29, 2024, 6:11:33 AMOct 29
to ZAP User Group
We are considering maintaining a set of Active Scan Policies that will be included with all ZAP releases.
These will be define the rules and associated strengths and thresholds that we recommend using in different situations.
You will, of course, be still be able to define whatever policies work for you :)

The policies we have so far are (the names may well change):

All Rules:
  • A very simple policy that includes all of the rules you have installed.
Developer CI/CD:
  • The essential rules we recommend for use in CI/CD.
  • No pentester focused rules
  • No high false positives
  • No long running rules
  • Less focus on web server level checks
Developer Standard:
  • The rules we recommend for scheduled scans in development.
  • As "Developer CI/CD" but with more coverage
Developer Full
  • As "Developer Standard" but with more coverage
  • Ideal for companies who want to check everything relevant at this stage
Q/A Standard:
  • The rules we recommend for scheduled scans in QA.
  • As "Developer Standrard" but with more web server level checks
QA Full
  • As "Developer Full" but with more web server level checks
  • Ideal for companies who want to check everything relevant at this stage
OWASP Top 10
  • All rules that apply to the latest OWASP Top 10
  • To be honest we dont think this is a particularly good set, but many people seem to want it for complience :/
CASA

The plan is for these policies to be defined in a new ZAP add-on.
This add-on would be included in all ZAP packages from the next release (2.16.0).

Some questions for you:
  • Do these policies look useful to you?
  • Do you think the definitions are correct?
  • Are there any other policies you would like us to maintain?
  • Any other feedback?
Many thanks,

Simon

phil young

unread,
Oct 29, 2024, 6:20:53 AMOct 29
to ZAP User Group
I would keep the number small so you have to maintain less. I had a stab at this a while back - something like:
https://github.com/philgitphoton/ZapScanPolicies

I can see the benefit of the Owasp top ten, we all know that's not the be all and end all, but its what people ask for every time in RFPs etc.

Simon Bennetts

unread,
Oct 29, 2024, 6:52:51 AMOct 29
to ZAP User Group
Oh nice!
We'll definitely have a look at that.

FYI the internal plan is to maintain them using alert tags.
This means that the alerts themselves will define which policies they effectively belong to in their code.
Thats something we maintain as a matter of course.

Cheers,

Simon
Reply all
Reply to author
Forward
0 new messages