Part 7: Scanning the Live App with OWASP ZAP (DAST)

🚨 What Is DAST?

DAST stands for Dynamic Application Security Testing.

Unlike SAST and SCA (which scan your code and dependencies), DAST tools like OWASP ZAP scan the live, running application — like a real attacker would.

They hit your endpoints, look for:

• SQL injection
• XSS (Cross-Site Scripting)
• Directory traversal
• Broken authentication
• and more

This is your last line of defense before something hits production.

🧠 When Should You Run ZAP?

DAST should run after deployment:

• The app is deployed to Azure App Service
• The endpoint is live
• ZAP can access the public URL

Important: Never run aggressive DAST scans against production without permission. Use a staging/test environment instead.

⚙️ How Does ZAP Work in a Pipeline?

You can run OWASP ZAP in headless (CLI) mode in your Azure DevOps pipeline using Docker.

The CLI tool will:

1. Start the ZAP container
2. Crawl and scan your app
3. Output a report
4. Fail the build if critical issues are found

✅ Add ZAP Scan Stage to Your Azure Pipeline

- stage: DAST
  displayName: 'Dynamic Scan with OWASP ZAP'
  dependsOn: AppDeploy
  jobs:
    - job: zapScan
      displayName: 'Run ZAP Scan'
      pool:
        vmImage: 'ubuntu-latest'
      steps:
        - script: |
            docker pull owasp/zap2docker-stable
            docker run --rm -t owasp/zap2docker-stable zap-baseline.py \
              -t https://your-app-service.azurewebsites.net \
              -g gen.conf -r zap-report.html
          displayName: 'Run OWASP ZAP'

📊 What This Does

• Pulls the official OWASP ZAP Docker image
• Runs a baseline scan against your running app
• Outputs a report in zap-report.html
• Logs the findings directly in your pipeline

🔐 Pro Tip: Soft Fail First

In early stages, let the build pass even with warnings. You can add -x (fail on risk level) later:

-x medium

This will fail the pipeline if any medium or high severity issues are found.

🧼 How to Handle Findings

If ZAP reports:

• Reflected parameters → sanitize input
• Missing security headers → update response headers
• Open directories → lock them down
• Cookies without HttpOnly or Secure → fix in app/server config

Every warning = an opportunity to make your app more secure.

🧭 Where to See the Report

You can:

• Output it as an artifact (zap-report.html)
• View it in the pipeline logs
• Integrate with dashboards or upload to Snyk / Azure Security Center

✅ Recap: Your Full DevSecOps Pipeline

You’ve now built a real DevSecOps pipeline that:

• Scans libraries (Snyk / SCA)
• Scans code (SonarQube / SAST)
• Scans infra (Checkov / IaC)
• Deploys with Terraform
• Deploys your Java app
• Scans the live running app (ZAP / DAST)

🎉 You Did It!

This isn’t a toy project. This is a real-world, security-first CI/CD pipeline that:

• Prevents vulnerable code from shipping
• Secures your cloud resources
• Catches issues before and after deployment
• Builds trust in everything you release

🧭 Want More?

From here, you can expand into:

• GitOps (ArgoCD, Flux)
• Secrets management (Key Vault + Azure DevOps)
• Audit logs and monitoring
• Role-based access controls
• Policy-as-code (OPA, Sentinel)