Wilson Mar bio photo

Wilson Mar


Calendar YouTube Github


Practice finding security vulnerabilities within ZAP or the Broken Web App by running SCA, SAST, DAST, IAST using open-source SonarQube, Sonatype, Synopsys and other tools

US (English)   Norsk (Norwegian)   Español (Spanish)   Français (French)   Deutsch (German)   Italiano   Português   Estonian   اَلْعَرَبِيَّةُ (Egypt Arabic)   Napali   中文 (简体) Chinese (Simplified)   日本語 Japanese   한국어 Korean


Why this?

Threat hunting is a proactive approach to detecting and mitigating threats. It is a continuous process of searching for, identifying, and mitigating potential threats in your environment.

OWASP Web Top 10

OWASP is a non-profit organization with a mission to provide practical vendor-neutral information about application security.

OWASP (Open Web Application Security Project) Top 10 - 2017 PDF: is the result of an on-going active non-profit team.

The OWASP Top 10 Web Application Security Risks was updated in 2021.

YouTube videos from F5 DevCentral 2017 by John Wagnon (and Description from OWASP):

  1. VIDEO: Injection Attacks (Description, blog article)

  2. VIDEO: Broken Authentication (Description)

  3. VIDEO: Sensitive Data Exposure (Description)

  4. VIDEO: XML External Entities (XXE) (Description)

  5. VIDEO: Broken Access Control (Description)

  6. VIDEO: Security Misconfiguration (Description)

  7. VIDEO: Cross-Site Scripting (XSS) (Description) blog

  8. VIDEO: Insecure Deserialization (Description)

  9. VIDEO: Using Components with Known Vulnerabilities (Description)

  10. VIDEO: Insufficient Logging and Monitoring (Description)

Also: Cross-Site Request Forgery (CSRF)

Coding Errors

Top 25 Common Weakness Enumeration (CWE): category system for software vulnerabilities and weaknesses.

There is also SAN’s Top 25 Software Errors that include

  • Insecure Interaction Between Components,
  • Risky Resource Management, and
  • Porous Defenses

OWASP API Security Top 10

API security Top 10 had 2019 and 2023 versions. Courses are from APISec.ai.

  1. API1:2023 Broken Object Level Authorization (BOLA)

    CLASS: This is the most common AND damaging API vulnerability, resulting in data loss, disclosure, data manipulation. APIs can expose endpoints that handle object identifiers, creating a wide attack surface Level Access Control issue. Object level authorization checks should be in every function that accesses a data source using an input from the user. An example is authenticated User A retrieves user B’s private data. Prevention:

    • Define data access policies and implement them in the business logic of the API.
    • Enforce data access controls on the server-side, not just the client-side.
    • Implement horizontal access control checks to ensure one user cannot access another user’s data.

  2. API2:2023 Broken User Authentication

    CLASS: Authentication mechanisms are often implemented incorrectly, allowing attackers to compromise authentication tokens or to exploit implementation flaws to assume other user’s identities temporarily or permanently. Compromising system’s ability to identify the client/user, compromises API security overall.

  3. API3:2023 Broken Object Property Level Authorization (BOPLA)

    CLASS: Looking forward to generic implementations, developers tend to expose all object properties without considering their individual sensitivity, relying on clients to perform the data filtering before displaying it to the user.

  4. API4:2023 Broken Object Property Level Authorization

    CLASS: Quite often, APIs do not impose any restrictions on the size or number of resources that can be requested by the client/user. Not only can this impact the API server performance, leading to Denial of Service (DoS), but also leaves the door open to authentication flaws such as brute force.

  5. API5:2023 Unrestricted Resource Consumption (Lack of Resources & Rate Limiting)

    CLASS: Previously Broken Function Level Authorization. Complex access control policies with different hierarchies, groups, and roles, and an unclear separation between administrative and regular functions, tend to lead to authorization flaws. By exploiting these issues, attackers gain access to other users’ resources and/or administrative functions.

  6. API6:2023 Unrestricted Access to Sensitive Business Flows

    CLASS: (Mass Assignment) Binding client provided data (e.g., JSON) to data models, without proper properties filtering based on a whitelist, usually lead to Mass Assignment. Either guessing objects properties, exploring other API endpoints, reading the documentation, or providing additional object properties in request payloads, allows attackers to modify object properties they are not supposed to.

  7. API7:2023 Server Side Request Forgery


  8. API8:2019 Security Misconfiguration

    CLASS: Security misconfiguration is commonly a result of unsecure default configurations, incomplete or ad-hoc configurations, open cloud storage, misconfigured HTTP headers, unnecessary HTTP methods, permissive Cross-Origin resource sharing (CORS), and verbose error messages containing sensitive information.

    Injection flaws, such as SQL, NoSQL, Command Injection, etc., occur when untrusted data is sent to an interpreter as part of a command or query. The attacker’s malicious data can trick the interpreter into executing unintended commands or accessing data without proper authorization.

  9. API9:2023 Improper Inventory Management

    CLASS: APIs tend to expose more endpoints than traditional web applications, making proper and updated documentation highly important. Proper hosts and deployed API versions inventory also play an important role to mitigate issues such as deprecated API versions and exposed debug endpoints.

  10. API10:2023 Unsafe Consumption of APIs

CLASS: Insufficient logging and monitoring, coupled with missing or ineffective integration with incident response, allows attackers to further attack systems, maintain persistence, pivot to more systems to tamper with, extract, or destroy data. Most breach studies demonstrate the time to detect a breach is over 200 days, typically detected by external parties rather than internal processes or monitoring.

Kubernetes Top 10

See My notes on Kubernetes.


  1. K01: Insecure Workload Configurations
  2. K02: Supply Chain Vulnerabilities
  3. K03: Overly Permissive RBAC Configurations
  4. K04: Lack of Centralized Policy Enforcement
  5. K05: Inadequate Logging and Monitoring
  6. K06: Broken Authentication Mechanisms
  7. K07: Missing Network Segmentation Controls
  8. K08: Secrets Management Failures
  9. K09: Misconfigured Cluster Components
  10. K10: Outdated and Vulnerable Kubernetes Components



APISec Test results

This sample API scan tests:

  • Fail “positive” tests when API functionality is found to not operate as expected according to the API specification.
  • Fail “negative” tests when the API is found vulnerable to attacks imposed by testing tools.

Only 4% of API testing focuses on security, according to Gartner.

One vendor’s API test results are organized into four categories:

A. Vulnerable

  • Injection (Log4J):
  • Fuzzing (random data):
  • Reflected Injection:

B. Valuable

  • Personal Data

C. Configuration

  • SSL Certificate
  • SSL Required
  • Server Properties Leak
  • HTTP Options
  • CORS Configuration
  • Incremental IDs

D. Authentication

  • Broken Authentication

Testing is based on lists of vulnerabilities identified by OWASP, SANS, and other organizations.

PCI DSS v4 API Requirements

PCI DSS v4.0 is a 360-page PDF published June 2022, with a deadline of 31 March 2024. It addresses API risks for the first time.

The previous verion, PCI DSS v3.2.1 is a 139-page PDF.

The Payment Card Industry Data Security Standard (PCI DSS) is a proprietary information security standard for organizations that handle branded credit cards from the major card schemes including Visa, MasterCard, American Express, Discover, and JCB.

https://www.pcisecuritystandards.org/ PCI Security Standards Council

https://blog.pcisecuritystandards.org/pci-dss-v4-0-resource-hub PCI DSS 4.0 Resource Hub

https://www.pcisecuritystandards.org/document_library/ PCI Document Library

https://listings.pcisecuritystandards.org/documents/PCI_DSS-QRG-v3_2_1.pdf PCI DSS Quick Reference Guide (PDF)

v1.0 was published in 2004.

Despite v1.1 in 2006, TJMax was hacked in 2007 (45M). Heartland Payment Systems was hacked in 2008 (130M).

Cardholder data (CHD) is the full Primary Account Number (PAN) or the full PAN along with any of the following elements:

  • Cardholder name
  • Expiration date
  • Service code

Sensitive authentication data (SAD) is the full magnetic stripe data, CAV2, CVC2, CVV2, CID, PINs, and PIN blocks.

PCI DSS (Payment Card Industry Data Security Standard) Standards:

  • PTS (PIN Transaction Security)
  • PA-DSS (Payment Application Data Security Standard)
  • P2PE (Point-to-Point Encryption)
  • PCI PIN (PCI PIN Security Requirements)
  • PCI SPoC (PCI Software PIN on COTS)
  • PCI CPoC (PCI Contactless Payments on COTS)
  • PCI DSS SAQ (PCI DSS Self-Assessment Questionnaire)
  • PCI DSS ROC (PCI DSS Report on Compliance)
  • PCI DSS AOC (PCI DSS Attestation of Compliance)
  • PCI DSS QSA (PCI DSS Qualified Security Assessor)
  • PCI DSS ASV (PCI DSS Approved Scanning Vendor)
  • PCI DSS ISA (PCI DSS Internal Security Assessor)
  • PCI DSS QIR (PCI DSS Qualified Integrator and Reseller)

Other Standards

  • Health Insurance Portability and Accountability Act (HIPAA)

  • Motor Industry Software Reliability Association (MISRA) C/C++ coding standards

  • CERT C/C++, CERT Java, CERT Python?


  • ISO 26262

  • ISO/IEC TS 17961


Sample broken apps

Several apps have been created to exhibit vulnerability issues, as examples for testing tools.

Such apps should run only inside a guest machine within VirtualBox or VMware set to NAT networking mode.

CAUTION: Do not upload it to your hosting provider’s public html folder or any Internet-facing servers, as they will be compromised. If you run security vulnerability tests against a server you don’t control, you are hacking that site. So get both an NDA and contract of scope of work before starting.

AWS Goat

VIDEO: https://github.com/ine-labs/AWSGoat provides two web apps containing OWASP Top 10 web application security risks (2021):

  • A Python3 AWS Lambda React blog using DynamoDB with misconfigured AWS resources.
  • An HR Payroll PHP app running on Terraform-built EC2 with misconfigured S3 buckets.

  • https://alparslanakyildiz.medium.com/aws-cloud-pentesting-notes-9dc9e75cbed8
  • https://ine.com/blog/awsgoat-a-damn-vulnerable-aws-infrastructure
  • https://www.helpnetsecurity.com/2022/08/10/awsgoat-vulnerable-aws-infrastructure-video/


Metasploitable3 from Rapid7 is a victim VM created with intentional vulnerabilities for abuse by Metasploit and other ethical hacking tools running in Kali OS. See Metasploit Unleashed at Offsec.com.

Instructions below provide manual steps to use Dean Bushmiller’s VIDEO describing the GitHub he used to setup Kali Linux VMs as AMIs:

TODO: Create script to do the below.

  1. Sign in the AWS Console GUI to the region Dean used to create his AMIs:


  2. Click the CloudShell icon, for a URL such as:


  3. Highlight and copy the single command below

    aws ec2 copy-image --name kali-linux --source-image-id ami-0e0c5931cfadd2102 --source-region us-east-1 && aws ec2 copy-image --name metasploitable3-linux --source-image-id ami-0b186198cc048aa9d --source-region us-east-1 && aws ec2 copy-image --name metasploitable3-windows --source-image-id ami-0e3153815a2b50c67 --source-region us-east-1

    PROTIP: The AMI id’s above are for us-east-1 only. Changing those regions would require other AMIs to be created.

  4. Paste in the CloudShell and press Return to execute.

    If you get a “500 - Internal Server Error”, refresh the page.

    The expected response are new ImageIds:

     "ImageId": "ami-0e0c5931cfadd1111"
     "ImageId": "ami-0b186198cc0482222"
     "ImageId": "ami-0e3153815a2b53333"

    NOTE: AWS charges are not incurred until these instances are launched.

  5. Duplicate another AWS browser tab and search for the “EC2” service for your region, for a URL such as:


  6. Click “Snapshots” in the left or middle menu to see a list of the AMIs created above.

    For use to SSH into the instance

  7. Click “Key Pairs” in the left menu


  8. Click the orange “Create Key Pair”
  9. Type a Name such as “kali-linux-231231” and click “Create key pair”.

    Leave defaults RSA for Key Pair type and .pem for use with OpenSSH.

  10. Navigate to the folder where the .pem file is downloaded.

    My IP Address

    To find the public IP address of your laptop:

  11. In an internet browser such as Chrome, click this URL:


    You will later highlight and copy the IPv4 address displayed.

  12. Open another browser tab so you can return to the above page.

    Cloud Formation

  13. Search for the “Cloud Formation” service for your region, for a URL such as:


  14. Click the drop-down “Create Stack” and select “With New Resources (standard)” for the page with default “Template is ready” and “Amazon S3 URL”

  15. Copy the URL below to paste into the “Amazon S3 URL” field:


    That file was create by Dean and has contents beginning with:

    AWSTemplateFormatVersion: 2010-09-09
    Description: Penetration Testing Lab Environment V20221102
  16. Click “Next” for the “Specify stack details” page.
  17. For Stack name, type your unique name and today’s date, such as


    No spaces are allowed in Stack names. because they are used in URLs.

  18. Switch back to the tab for the CloudShell to highlight and copy each of the ami-xxxxxx values.

    1. In the AttackerAMIId field, paste from above the first AMI id, for Kali Linux.
    2. In the LinuxVictimAMIId field, paste from above the second AMI id.
    3. In the WindowsVictimAMIId field, paste from above the third AMI id. (Windows 2008 R2)

  19. In the PublicAddress field, find your public IP address by searching for “what is my ip” in a browser at https://whatismyipaddress.com/
  20. Click the SSHKeyPair field and select the key pair you created above.
  21. Click “Next” for the “Configure stack options” page.
  22. Click “Next” for the Review page.
  23. Click “Estimate cost” to see the cost of running the stack.
  24. Scroll to the bottom to CHECK “I acknowledge that AWS CloudFormation might create IAM resources.”
  25. Click the orange “Create stack” button.
  26. Wait (a few minutes) for “CREATE_IN_PROGRESS” to change to “CREATE_COMPLETE”.
  27. Click “Resources” in the horizontal menu.

    If “ROLLBACK_IN_PROGRESS” appears, delete the stack and try again.

  28. After “Initializing” turns to “checks passed” shows on all instances, dismiss the CloudShell and What is My IP Address tabs.

    To SSH into the instance

    Traditionally, to connect to a Windows instance GUI, a RDP client software program needs to be installed. Similarly, to connect to a Linux instance, a SSH client software program needs to be installed. Ditto with the VNC protocol.

    However, Apache has done away with plugins or client software required by creating its Guacamole project to create a clientless remote desktop gateway.

    VIDEO by Dean Bushmiller shows how to configure Guacamole HTML5 to access the Kali Linux instance. (

  29. Duplicate another AWS browser tab and search for the “EC2” service for your region, instances, for a URL such as:


  30. Click the Instance ID of the instance name ending with “bastion-guacamole”.

    Client IP address

  31. Click the (copy to clipboard) icon to the left of the “Public IPv4 address” (such as
  32. Open another browser tab and paste the IP address into the address bar to see the Guacamole login page.
  33. Click “Advanced” to “Your connection is not private”.
  34. Click the link such as “Proceed to (unsafe)” for the “APACHE GUACAMOLE” login page.
  35. Click “Allow”.
  36. Type “guacadmin” for the Username.

    Get password within logs

  37. Click “Actions” drop-down to select “Monitor and troubleshoot”, and “Get system log”.
  38. Click in the log and press Ctrl-F to search for “password”.
  39. Highlight and copy the password text such as “WKO0Kq7kJw9N” in:

    Setting Bitnami application password to 'WKO0Kq7kJw9N'
  40. Paste the password. Click “Login”.
  41. At the upper-right, click “guacadmin”, then “Settings”, “New Connection” to fill in fields:

  42. Copy and paste to connect to Kali Linux

    • Name: kali
    • Protocol: RDP
    • Maximum number of connections: 1
    • Maximum number of connections per user: 1

    Skip down to: PARAMETERS | Network

    • Hostname:
    • Port: 3390 Authentication:
    • Username: kali
    • Password: kali

    Leave the rest blank.

  43. Scroll down to click “Save”.
  44. At the upper-right, click “guacadmin”, then “Home”, then that “Kali”.


    Victim Ubuntu config

    This is optional unless you want to confirm a Man-in-the-Middle impact.

    Ansible scripts may be used to configure.

  45. At the upper-right, click “guacadmin”, then “Settings”, “New Connection” to fill in fields:
  46. Copy and paste

    • Name: VIC-NIX
    • Protocol: SSH
    • Maximum number of connections: 1
    • Maximum number of connections per user: 1

    Skip down to: PARAMETERS | Network

    • Hostname:
    • Port: 22 Authentication:
    • Username: vagrant
    • Password: vagrant

  47. Scroll down to click “Save”.

    Victim Windows 2008 R2 config

    This is optional unless you want to confirm a Man-in-th-Middle impact.

    Ansible or PowerShell scripts may be used to configure.

  48. At the upper-right, click “guacadmin”, then “Settings”, “New Connection” to fill in fields:
  49. Copy and paste

    • Name: VIC-WIN
    • Protocol: RDP
    • Maximum number of connections: 1
    • Maximum number of connections per user: 1

    Skip down to: PARAMETERS | Network

    • Hostname:
    • Port: 3389 Authentication:
    • Username: vagrant
    • Password: vagrant
    • Security mode: RDP encryption

  50. Scroll down to click “Save”.

  51. Now, hack away! see Kali PenTesting.


    Stop instances

  52. In AWS EC2, click the Instance ID of the instance name ending with “bastion-guacamole”.

    CloudFormation phase:

  53. Go to AWS CloudFormation console


  54. Select the stack you built previously and click Delete.

    This deletes all resources for the solution (except the three copied AMIs; see below)

    Delete the copied AMIs:

  55. Go to the EC2 Console > AMIs.
  56. Find the three AMIs that were created earlier with the copy commands and deregister them
  57. After deregistering the AMIs, go to Snapshots in the EC2 Console

    There will be three snapshots associated with the deleted AMIs that you can delete.

Juice Shop

Perhaps the most modern sample vulnerabler web app is Juice Shop maintained by OWSAP by volunteers at https://juice-shop.herokuapp.com/ book: “Pwning OWASP Juice Shop” at https://bkimminich.gitbooks.io/pwning-owasp-juice-shop/content referencing code at https://github.com/bkimminich/juice-shop.


Damn Vulnerable Web Application (DVWA) at http://dvwa.co.uk with code at https://github.com/ethicalhack3r/DVWA is a PHP/MySQL web application. So use XAMPP for its Apache web server and database.


Stand-up an instance of the BWA (Broken Web Application), a collection of intentionally vulnerable web applications distributed by OWASP in a Virtual Machine (VM) file used by Virtualbox, HyperV. VMware Workstation on Windows or VMware Fusion on Mac:

  1. Instantiate a server. In Sep 2017 nested VT-x is supported on GCE, according to Paul R. Nash, Group Product Manager, Google Compute Engine.

  2. Within a console on the server, download:

    curl -O https://sourceforge.net/projects/owaspbwa/files/latest/download

    The OWASP_Broken_Web_Apps_VM_1.2.7z file downloaded is 1.7 GB (big!) because it contains various apps in Ruby, PHP, WordPress, etc.

    It’s briefly described at https://owaspbwa.org, which resolves to https://code.google.com/archive/p/owaspbwa/

    Note it’s from 2015.

  3. Unpack the 7z file. Navigate into the folder.
  4. Double-click on file OWASP Broken Web Apps.vmx to open image in Virtualbox or VMWare workstation:

    See Install video (music only, no dialog) [5:49]

  5. Use it.

    Video showing version 1.1.1 [21:53] by Chuck Willis shows how to use BWA to demonstrate occurance of “Top 10” vulnerabilities described by OWASP. Mutillidae:



    https://www.youtube.com/watch?v=FOEFL8bbbCU [7:05]

    Beyond 1.0 from 2013 Chuck Willis (@chuckatsf) describes BWA origins

VAmPI (Python Flask)

https://github.com/erev0s/VAmPI (described in erev0s.com) is written in Python Flask as a target app that fails evaluation by tools that detect security issues described in OWASP Top 10 vulnerabilities for APIs.

No one wants switches to add vulnerabilities in productive code. But code & app generators such as Outsystems and Mendix can.

Nevertheless, VAmPI can be used for learning/teaching:

  1. Install Docker, Docker Compose, Postman, escape.tech, etc.
  2. Generate OpenAPI (Swagger) specs for use by escape.tech to evaluate the running app’s security, such as this json. Outsystems generates that documentation automatically.

  3. Generate a Collection file for explorating within Postman

  4. At https://app.escape.tech/, specify the app’s endpoint URL.

  5. upload Escape’s https://gontoz.escape.tech/graphql
  6. https://vampi.tools.escape.tech/

  7. Start: docker run -p 5000:5000 erev0s/vampi:latest
  8. Fork, then git clone https://github.com/???/VAmPI
  9. git remote add upstream https://github.com/erev0s/VAmPI
  10. In another Terminal tab at VAmPI root containing docker-compose.yaml: docker-compose up -d

    ✔ Container vampi-secure      Started                                                                                             0.1s 
    ✔ Container vampi-vulnerable  Started       
  11. Run user emulator to:

  12. Create database
  13. Issue GET unauthenticated requests
  14. Create account

  15. Login using Token-Based Authentication (Adjust lifetime from within app.py)
  16. Add books
  17. Retrieve books without secrets
  18. Retrieve books with secrets

  19. Enable global configuration settings to switch specific vulnerabilities on or off during testing and confirmation.

Software Testing Guidelines

Guidance for planning and reporting of testing:


PTES (Penetration Testing Execution Standard) in 2009 defined phases of a pen-test engagement:

  1. Intelligence Gathering
  2. Pre-engagement Interactions
  3. Threat Modeling
  4. Vulnerability Analysis
  5. Exploitation
  6. Post Exploitation
  7. Reporting

The PTES Technical Guidelines is an “oldie but goodie” from 2014, but still has good wisdom.


PDF: form: STAR (Security Test Audit Report) is a standardized form to summarize results of a security or penetration test - providing precise calculations of the Attack Surface, details of what was tested and how, and indemnification for testing organization.

OSSTMM (Open Source Security Testing Methodology Manual) v3 PDF updated every six months by the ISECOM (Institute for Security and Open Methodologies). It was developed in an open community, and subjected to peer and cross-disciplinary review. ISECOM’s PDF: Security Test Audit Report (STAR) is a standardized form to summarize results of a security or penetration test - providing precise calculations of the Attack Surface, details of what was tested and how, and indemnification for testing organization.:

  1. Posture review
  2. Logistics
  3. Active Detection Verification
  4. Visibility Audit
  5. Access Verification
  6. Trust Verification
  7. Controls Verification
  8. Process Verification
  9. Configuration and Training Verification
  10. Property Validation
  11. Segregation Review
  12. Exposure Verification
  13. Competitive Intelligence Scouting
  14. Quarantine Verification
  15. Privileges Audit
  16. Survivability Validation and Service Continuity
  17. End Survey, Alert, and Log Review

OSSTMM has five channels or operational areas:

  • Human Security: The security of human interaction and communication is evaluated operationally as a means of testing
  • Physical Security: The OSSTMM tests physical security, defined as any tangible element of security that takes physical effort to operate
  • Wireless Communications: Electronic communications, signals, and emanations are all considered wireless communications that are part of the operational security testing
  • Telecommunications: Whether the telecommunication network is digital or analog, any communication conducted over telephone or network lines is tested in the OSSTMM
  • Data Networks: The security testing of data networks includes electronic systems and data networks that are used for communication or interaction via cable and wired network lines

Security Testing Tools

DevSecOps is a practice of integrating security into the DevOps process.

Ethical Hacking tools

Many tools are used by Penetration Testers to attack systems and applications for the sake of finding vulnerabilities.

  • Kali Linux server

  • Metasploit

  • wazuh.com - https://www.youtube.com/watch?v=O5QnGeaLGIs Ubuntu

IAST (Interactive App Security Testing)

IAST (Interactive App Security Testing) was invented by Checkmarx, which adds an agent running along the app to report to a central “Security Handler”.

DAST (Dynamic Application Security Testing)

DAST aims to expose security weaknesses by watching application behavior while user actions are performed by automated scripts in a test environment, where various combinations of input actions are tried.

The main targets of a DAST system involve what offers a front door to attackers: HTTP and HTML – protocols that drive the World Wide Web.

Among DAST tools: web app penetration testing tools:

A. The Zed Attack Proxy (ZAP) is offered free, and is actively maintained by hundreds of international volunteers. Use it to scan for security vulnerabilities in your web applications while you are developing and testing your applications.

web proxy

B. WebInspect from MicroFocus (formerly HP).

C. Burp Suite from Portswagger ($399/year Pro) with extensions, running on Kali Linux with FoxyProxy on Firefox, JPython, JRuby

D. Dirtbuster

E. VIDEO: ForAllSecure


SAST (Static App Security Testing) tools focus on scanning application source code for vulnerabilities in coding. Static Application Security Testing (SAST) vendors include:

  • Veracode
  • Perforce
  • http://www.castsoftware.com/
  • Checkmarx, which adds an agent running along the app to report to a central Security Handler, called Interactive App Security Testing (IAST).

Security tests should also cover the efficacy of Runtime Application Self-Protection (RASP) built within apps, rather than relying completely on the infrastructure Web Application Firewall (WAF).

Install proxy server

There are several ways to obtain and instantiate a proxy server.


QUESTION: Who are SaaS vendors operating on public cloud?

From Docker Hub

For those working on public clouds:

  1. Bring up Docker
  2. In a Terminal,
  3. Use the Docker image provided by the OWASP organization at https://hub.docker.com/r/owasp/zap2docker-stable/

    docker pull owasp/zap2docker-stable

    docker images say it’s 1.33GB.

    Alternately, for use in CI environments:

    docker pull owasp/zap2docker-bare

    docker images say it’s 525 MB, which is a third of the stable edition.

    The images above were created based on code at: https://github.com/zaproxy/zaproxy/tree/develop/build/docker

    ZAP’s project leader is Simon Bennetts (@psilnon). His lecture on 2 Jun 2015 [59:59]: https://www.youtube.com/watch?v=_MmDWenz-6U

  4. Start ZAP in with xvfb (X virtual frame buffer) which allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment. Firefox is also installed so can be used with these add-ons.

    Alternately: Start ZAP in headless mode with following command:

    docker run -u zap -p 8080:8080 -i owasp/zap2docker-bare zap.sh -daemon -host -port 8080

Blogs about this:

  • https://github.com/zaproxy/zaproxy/wiki/Docker

On private servers

  1. Download

    wget -q -O - https://github.com/zaproxy/zaproxy/releases/download/2.4.3/ZAP_2.4.3_Linux.tar.gz

    CAUTION: Enterprise security should review this.

  2. Un-tar

    tar zxf - -C /opt ln -s /opt/ZAP_2.4.3 /opt/zap

  3. Since ZAP does not come with a script, this script for Debian:

    wget -q -O /etc/init.d/zap https://raw.githubusercontent.com/stelligent/zap/master/packer/roles/zap/files/zap-init.sh chmod 755 /etc/init.d/zap

Instantiate within Google Cloud

Browser Proxy Setup

In Chrome:

  1. Menu > settings
  2. Proxy

In Firefox:

  1. Manu > Options
  2. Advanced
  3. Network tab
  4. Connections > Settings
  5. Clear “No Proxy for:” box

In Internet Explorer:

  1. Tools
  2. Internet options
  3. Connections tab
  4. Lan settings
  5. Check proxy settings

  6. Use http://localhost or to reach the Proxy.

  7. Automate settings:

In Firefox:

  1. Menu > Add-ons (shift+command+A)
  2. Click “See more Add-ins”
  3. In “Search for add-ons” search box, type “foxy boxy basix”.
  4. Select “FoxyProxy Standard”.
  5. Click “+ Add to Firefox”.
  6. Click “Add” in the pop-up.
  7. Restart now.

Install Jenkins plugin


  • https://stelligent.com/2016/04/28/automating-penetration-testing-in-a-cicd-pipeline/
  • https://stelligent.com/2016/05/11/automating-penetration-testing-in-a-cicd-pipeline-part-2/

The plug-in is at:


  1. ZAP is written in Java, so a Java SDK is needed to run it.



The drop-down at the upper-left corner of the ZAP UI provides for 4 modes:

  1. Safe mode
  2. Standard mode
  3. Protected mode
  4. Attack mode for sites you have permission to penetrate.

  5. Click Quick Start to, on the Information window, input the URL to scan, starting with https.

    The left pane Tree window provides the context history of URLs visited.

  6. Run ZAP using the ‘standard’ zap.sh script.

    There is also a zap-x.sh script which first starts xvfb (X virtual frame buffer) - this allows add-ons that use Selenium (like the Ajax Spider and DOM XSS scanner) to run in a headless environment.

ZAP scripts

The plugin:

  1. Manage Sessions (Load or Persist)
  2. Define Context (Name, Include URLs and Exclude URLs)
  3. Attack Contexts (Spider Scan, AJAX Spider, Active Scan)

You can also:

  1. Setup Authentication (Form Based or Script Based)
  2. Run as Pre-Build as part of a Selenium Build
  3. Generate Reports (.xhtml, .xml, .json)



by TheDevOpsSchool Fundamental Tutorial for Beginners by Rajesh Kumar



Other DAST vendors


  1. Veracode Vulnerability Scanning Tools which only scans Java, were acquired on Nov 5 2018 from Broadcom by private equity firm Thoma Bravo who also funded Compuware and Dynatrace, Solar Winds and McAfee *

  2. WebInspect from OpenText (formerly MicroFocus, formerly HP, formerly Mercury), a part of the Fortify suite, which consists of Fortify the SAST product.

  3. Checkmarx.com, based in Israel, offers Codebashing, a developer education platform for secure coding training.

  4. Synopsys.com [Wikipedia] acquired CodeDX, Black Duck, Coverity, and Cigital SecureAssist (a lightweight IDE plugin that points out common security vulnerabilities in real time).

  5. IBM AppScan

  6. Parasoft

  7. Tenable.io by Nessus


Static code analysis tool vendors have begun using the SARIF (Static Analysis Results Interchange Format) to publish results of their assessment of programming and style errors, non-compliance with legal requirements, and security vulnerabilities. The JSON-based format standard was published by industry group OASIS to provide a common output format to make it feasible for developers and teams to view, understand, interact with, and manage the results produced by several vendors.

  1. The first version of the format was published in March 2020 as SARIF v2.1.0 to recognize Microsoft’s previous efforts and pre-standard versions. Its 220 pages in htm web page. Source code in pdf, docx, htm for the document is at:

  2. Tutorial:


  3. In Visual Studio Code, install the “Microsoft SARIF Viewer” from Microsoft Dev Labs.

  4. Clone the sample SARIF file from

  5. Load a sample SARIF file into the viewer within Microsoft Visual Studio Code. Examine details:

    • The location of the flaw and code paths leading to it
    • The rule violated
    • The severity of the violation (severe to minor, “error,” “warning”, “note”)
    • Suggestions for remedying the problem
    • When it’s ok to ignore the result

  6. Load sample SARIF files into Microsoft.

    Cartey and Keaton, OASIS SARIF TC co-chairs, said that “The next major version of SARIF will expand our ability to aggregate data and detect vulnerabilities in some exciting new ways.”

  7. Clone a folder containing workflow and sample known-bad Terraform file.

  8. Generate SARIF Using the tfsec GitHub Action from almost blank repo:

    name: Run tfsec sarif report
    branches: [main, 'release/*']
    name: tfsec sarif report
    runs-on: ubuntu-latest
      - name: Clone repo
        uses: actions/checkout@main
      - name: Run sarif report
        uses: aquasecurity/tfsec-sarif-action@v0.1.0
          sarif_file: tfsec.sarif
      - name: Upload SARIF file
        uses: github/codeql-action/upload-sarif@v1
          # Path to SARIF file relative to the root of the repository:
          sarif_file: tfsec.sarif
    git checout -b add-workflow


VIDEO: Overview of the 2021 OWASP Top 10 by John Wagnon while he was at F5.

STAR: Daniel Miessler’s https://danielmiessler.com/projects/webappsec_testing_resources

Getting Started with OWASP Zed Attack Proxy (ZAP) for Web Application Penetration Testing 1h 40m video course 16 Feb 2017 by Mike Woolard

STAR: https://python-security.readthedocs.io/security.html


More on Security

This is one of a series on Security in DevSecOps:

  1. Security actions for teamwork and SLSA
  2. DevSecOps

  3. Code Signing on macOS
  4. Transport Layer Security

  5. Git Signing
  6. GitHub Data Security
  7. Encrypt all the things

  8. Azure Security-focus Cloud Onramp
  9. Azure Networking

  10. AWS Onboarding
  11. AWS Security (certification exam)
  12. AWS IAM (Identity and Access Management)
  13. AWS Networking

  14. SIEM (Security Information and Event Management)
  15. Intrusion Detection Systems (Goolge/Palo Alto)
  16. Chaos Engineering

  17. SOC2
  18. FedRAMP
  19. CAIQ (Consensus Assessment Initiative Questionnaire) by cloud vendors

  20. AKeyless cloud vault
  21. Hashicorp Vault
  22. Hashicorp Terraform
  23. OPA (Open Policy Agent)

  24. SonarQube
  25. WebGoat known insecure PHP app and vulnerability scanners
  26. Test for OWASP using ZAP on the Broken Web App

  27. Security certifications
  28. Details about Cyber Security

  29. Quantum Supremecy can break encryption in minutes
  30. Pen Testing
  31. Kali Linux

  32. Threat Modeling
  33. WebGoat (deliberately insecure Java app)

More on DevOps

This is one of a series on DevOps:

  1. DevOps_2.0
  2. ci-cd (Continuous Integration and Continuous Delivery)
  3. User Stories for DevOps
  4. Enterprise Software)

  5. Git and GitHub vs File Archival
  6. Git Commands and Statuses
  7. Git Commit, Tag, Push
  8. Git Utilities
  9. Data Security GitHub
  10. GitHub API
  11. TFS vs. GitHub

  12. Choices for DevOps Technologies
  13. Pulumi Infrastructure as Code (IaC)
  14. Java DevOps Workflow
  15. Okta for SSO & MFA

  16. AWS DevOps (CodeCommit, CodePipeline, CodeDeploy)
  17. AWS server deployment options
  18. AWS Load Balancers

  19. Cloud services comparisons (across vendors)
  20. Cloud regions (across vendors)
  21. AWS Virtual Private Cloud

  22. Azure Cloud Onramp (Subscriptions, Portal GUI, CLI)
  23. Azure Certifications
  24. Azure Cloud

  25. Azure Cloud Powershell
  26. Bash Windows using Microsoft’s WSL (Windows Subsystem for Linux)
  27. Azure KSQL (Kusto Query Language) for Azure Monitor, etc.

  28. Azure Networking
  29. Azure Storage
  30. Azure Compute
  31. Azure Monitoring

  32. Digital Ocean
  33. Cloud Foundry

  34. Packer automation to build Vagrant images
  35. Terraform multi-cloud provisioning automation
  36. Hashicorp Vault and Consul to generate and hold secrets

  37. Powershell Ecosystem
  38. Powershell on MacOS
  39. Powershell Desired System Configuration

  40. Jenkins Server Setup
  41. Jenkins Plug-ins
  42. Jenkins Freestyle jobs
  43. Jenkins2 Pipeline jobs using Groovy code in Jenkinsfile

  44. Docker (Glossary, Ecosystem, Certification)
  45. Make Makefile for Docker
  46. Docker Setup and run Bash shell script
  47. Bash coding
  48. Docker Setup
  49. Dockerize apps
  50. Docker Registry

  51. Maven on MacOSX

  52. Ansible
  53. Kubernetes Operators
  54. OPA (Open Policy Agent) in Rego language

  55. MySQL Setup

  56. Threat Modeling
  57. SonarQube & SonarSource static code scan

  58. API Management Microsoft
  59. API Management Amazon

  60. Scenarios for load
  61. Chaos Engineering