DeepFactor has closely integrated OWASP ZAP to enable you to run DAST scans on your application’s components.
DeepFactor currently supports Dynamic Application Security Testing (DAST) scans of HTTP services. You need to configure your DeepFactor instrumented HTTP service deployment to terminate SSL in front of your HTTP server.
DeepFactor has also enhanced the standard ZAP scan to provide more evidence for DAST insights as follows:
- DeepFactor enhances the insights obtained from the standard OWASP ZAP scans by gathering additional application behavior telemetry from “inside the app” while the scanner is exercising the URIs used by the app “from the outside.”
- You can initiate a scan on any of your web services, even if they are running in a private network if there is connectivity from your application to the DeepFactor portal. This gives you the powerful capability to scan all your web services without having to expose them to the public Internet. Also, you can scan any of your web service components individually (Load Balancer, API Web Service, etc.) thus providing you insights into each layer’s security profile rather than just that of the exposed host.
- DeepFactor also provides APIs to start scans and get results so you can easily run scans as part of your CI/CD pipeline. Please follow the API link at the top of your DeepFactor portal for details and OpenAPI documentation.
DeepFactor observes incoming HTTP traffic on all ports of your component and detects any web services present in your component.
Note: Your web service will show up in the DeepFactor portal only after the first HTTP incoming connection hits your component.
You can view these web services listed on the portal under the Web Services tab. Click on Start Web Scan to visit the start scan page and click Save Configuration As to save the configuration.