Hackers of India

ZaaS: [OWASP] ZAP As A Service - Continous Security For 20K+ APIs

By  Rohit Sehgal   Varun Kakumani  on 08 Sep 2022 @ Nullcon

This Tool Demo covers following tools where the speaker has contributed or authored
ZAAS

Abstract

API and Website application security scanning at scale using OWASP ZAP and a service to manage the ZAP.

OWASP ZAP is a great open source tool to scan your website or API requests for different types of vulnerabilities. ZAP also provides a different way to customize your scan, like scan policy, custom add-ons, community add-ons, and many more. You can find ZAP’s open-source repository on Github. ZaaS is built on the APIs provided by ZAP.

While it’s an awesome tool to scan for a specific request or API, using in corporates where you need to scan 1000s of websites or APIs can be a hectic task and it’s impossible to scale just running a single ZAP instance. Hence the idea, ZaaS, where ZAP runs as several instances on Kubernetes cluster with as many pods as you like to scale your ZAP as per your company needs.