ZAP as DAST for entreprise

[Dropshift]

Hello, 

So i have somes questions about ZAP, i search in the documentation but didn’t find something clear about those subjet. 

• Does it provide a control access layer (admin, dev, user)? 
• Can we use it to scan app in a cloud environment? 
• We develop APIs, can ZAP scan it? 
• Does it provide a good reporting (HTML, PDF,..)?
  
  

Thank you for your time,   

Jonathan 

[Simon Bennetts]

Hiya Jonathan,

Replies inline:

On Monday, 22 February 2021 at 11:33:11 UTC drops...@gmail.com wrote:

Hello, 

So i have somes questions about ZAP, i search in the documentation but didn’t find something clear about those subjet. 

• Does it provide a control access layer (admin, dev, user)? 

No, ZAP is a single user tool, it doesnt not provide user management.

We did look at creating a SaaS implementation but it proved to be too much work for a relatively small development team.

However we do know of some commercial companies which provide SaaS offerings which use ZAP - see https://www.zaproxy.org/third-party-services/

 

• Can we use it to scan app in a cloud environment? 

Depends if you mean if ZAP is running in a cloud environment or your target apps :)

Yes ZAP can test apps running in a cloud environment, it just needs to be able to access them.

If you mean ZAP then see the the above reply :)

 

• We develop APIs, can ZAP scan it? 

Yes. We provide a packaged ZAP API scan: https://www.zaproxy.org/docs/docker/api-scan/ or you can launch ZAP in daemon mode and have full control of it via the API.

We are also working on a new automation framework which will not depend on docker.

 

• Does it provide a good reporting (HTML, PDF,..)?
  

OK, I'll have to be honest - the ZAP reports are currently fairly basic :)

However you do have access to pretty much all of the data that ZAP maintains via the API and we are working on a new reporting add-on.

Cheers,

Simon

[Dropshift]

Thank you very much Simon

Have a nice :)