DAST & Observability: Made For Each Other!

DeepFactor seamlessly integrates Continuous Observability and OWASP ZAP to deliver powerful runtime security insights to developers.

If you are thinking about only using a dynamic application security testing (DAST) tool in your DevSecOps pipeline, you might not be considering the big picture. This article discusses why it is prudent to consider Observability and DAST together to ship secure applications. 1 + 1 can be greater than 2!

Observability has typically been used in the context of performance-related tracing and troubleshooting. DeepFactor, however, uses observability for security and compliance. It’s a much more powerful, comprehensive, and modern way to think about your DevSecOps pipeline. DeepFactor now supports a one-click OWASP ZAP scan to make it easy for you to include DAST and observability as part of the development process.

What does Continuous Observability mean in the context of security & compliance?

Static application security testing (SAST) and software composition analysis (SCA) tools scan your source code and build artifacts. But, they do not have visibility into how your application is behaving when it is deployed and running. You need something to fill that void. Enter Continuous Observability tools – these tools watch everything an app is doing when it is running (typically in your dev/test/stage/pre-production environments) and provide an assessment of the runtime security and compliance risks that could be leveraged to hack into your production environment. Having the right observability tool in your DevSecOps pipeline can help identify issues that SAST/SCA/container scanning tools can’t catch. It is also a great way to have a highly targeted short-list of insights based on what your app ACTUALLY did, instead of theoretically surmising what your code could possibly do. It’s a great dev tool!

How does observability work?

With DeepFactor, we’ve created an observability platform that requires zero code changes to the app. It works with modern containerized/Kubernetes/Docker apps as well as non-containerized apps. You simply need to run one command.

DeepFactor’s dynamic library is preloaded into the application and it observes over 170 parameters, such as system calls, library calls, process/memory behavior, file system access, network behavior, HTTP packets, and much more. And it observes every thread of every process in every deployment of your application. This includes not just your code’s behavior, but also that of any 3^rd party components, open source components, as well as your interpreter’s (Java/Node.js/Python, etc.) behavior. All this telemetry is analyzed for anomalies, and security/compliance risks are presented to the user.

Why OWASP ZAP scan?

The greater you exercise your app, the more code paths are exercised, enabling DeepFactor to find more insights. So if you are running DeepFactor as part of your Continuous integration (CI) pipeline, make sure to turn on your automated tests. The more comprehensive your tests are, the more insights DeepFactor will find. But many times, automated tests aren’t comprehensive enough. So having an external scan, like a DAST scan, is a great way to crawl your app’s web/API interfaces and exercise your app’s code paths a lot more comprehensively. This is precisely why DeepFactor integrates the open source OWASP ZAP scan utility seamlessly into it’s observability platform. DeepFactor is also a silver sponsor to the OWASP ZAP open source initiative to help further the OWASP Foundations mission to make application security “visible,”​ so that people and organizations can make informed decisions about application security risks.

How does OWASP ZAP scan work with DeepFactor? 

1. Automated ZAP admin setup
   1. Without DeepFactor, setting up a server for OWASP ZAP scan and maintaining is typically not a straightforward task. Your team may not have the bandwidth to do it. You need to install the ZAP server, configure the proper settings (and there are many things you can tweak, so it is generally an involved task that you need to pull the AppSec team into), understand authentication setup, understanding the format of the results, obtaining the request/response data in order to fix OWASP vulnerabilities in your app, and more…All this involves time, server resources, and security expertise.
   2. DeepFactor’s integration with OWASP ZAP, automates all these administrative tasks, so that developers can trigger scans with one-click or one-command. The OWASP ZAP server is containerized and incorporated into the DeepFactor portal. Additional scan configuration, authentication options and more are presented in a simple UI/config, making it super easy to start scan.
2. Automated routing configuration
   1. Most common cloud apps are made of several components. You could be using nginx at the entrypoint, a few Node.js/Java/C++ services, a database, a message queue, some 3^rd party APIs, etc. If one were to set up OWASP ZAP without DeepFactor, you’d have to open up routing and make sure your app’s endpoint was reachable by ZAP. This can sometimes mean cumbersome networking configuration and working with other teams in your IT department. Not very developer friendly is it?!
   2. In order to make this much more elegant and simple, DeepFactor incorporates a reverse proxy capability into every component that it runs with. So when you run and observe an app with DeepFactor, the HTTP services in any of the components will automatically become reachable when the instance is selected for scan through the DeepFactor portal. So you can trigger a ZAP scan without having to worry about configuring any routing. Just point and click!
3. Automated evidence information and tracking between releases
   1. ZAP scan results, by default, do not involve request/response details. One has to use other means or APIs to get that info, and then correlate with ZAP results.
   2. Scan results, when presented with actionable evidence, make it easy to fix the application. DeepFactor’s alert pages, which summarize all the OWASP ZAP alerts, automatically include request/response information, making it easy for the developer to triage and fix the vulnerability.
4. Integration with JIRA, Slack, SSO
   1. Without DeepFactor, one needs to run the ZAP scan, then go to separate tools like JIRA, get the scan report details and put it in there. In addition, sending it as a Slack notification etc. involves manual copy/paste and switching between tools.
   2. Developers can click a button to automatically file a JIRA for each occurrence of the OWASP ZAP alert. They can see the alert details in their Slack. They can login with the Okta credentials and kick off scans or triage alerts.

Learn more about DeepFactor’s one-click DAST scan here.

Key Takeaways

Think about the big picture:
If you are serious about your DevSecOps initiative, don’t stop with SAST/SCA/container scanning tools. Consider observability tools to get insights into what your app is doing at runtime. This can “save your hide” and help identify key attack vectors that static code inspection cannot catch!

Give your developers the right visibility into your apps:
Instead of thinking of using a DAST tool separately and only get insights into the web layer of your app, think about giving your developers a full view of your applications’ runtime security posture holistically. An observability tool comprehensively looks at your app’s behavior and identifies risks in system call, network, library, web/api and other behaviors, and gives your developers an opportunity to find and fix risks before production.

Leverage automation and reduce the number of tools:
When using a DAST tool like OWASP ZAP, consider the time and expertise required to setup and manage a separate ZAP portal, versus using ZAP that is seamlessly integrated into a platform like DeepFactor.

DeepFactor is FREE for 10 or less developers! Get started right away!