Verifying that the correct controls are in place across all of our applications can be challenging, especially in a CI\/CD environment. We run full vulnerability scans against our services on a regular basis, but these can take a long time to run and are not really adapted to fast release cycles.<\/p>\n
This is why we have introduced a ‘baseline’ scan which runs very quickly and on every release of a service, but still gives us crucial feedback about the key security controls that we are concerned about. The baseline scans are included in the CI\/CD pipelines of Firefox services to inform developers of potential issues before they reach production environments. We also run it against all of those services every day to generate a dashboard of the overall security status of our services.<\/p>\n
This blog post presents the techniques we use to implement baseline scans in our infrastructure.<\/p>\n
The ZAP Baseline Scan<\/h4>\n
Mozilla invests heavily in the development and support of security tools. The author of this blog post leads the OWASP Zed Attack Proxy<\/a> (ZAP) project,\u00a0 which we use to run baseline and vulnerability scans.<\/p>\n The ZAP baseline scan<\/a> is a quick, easy and highly configurable way to test the security controls you care about. The tests are non intrusive so they are safe to run against production applications. For our baseline scans we use the weekly docker image which has more options available – you can run the script with the -h flag to see all of them.<\/p>\n The script zap-baseline.py uses the ZAP spider to explore the application, by default for just one minute. Spidering the application is important to verify that all pages, and not only the top one, implement the required security controls. This is particularly useful when web frameworks will handle some of the pages automatically without setting the headers. The baseline scan can be run against an application by just specifying its URL using the -t flag:<\/p>\n docker run owasp\/zap2docker-weekly zap-baseline.py -t https:\/\/www.example.com<\/p>\n By default the output lists all of the passive scan rules applied and whether they passed or failed.<\/p>\n You can change how the baseline handles different errors by specifying a rule configuration file via either the -c flag (for a local file) or the -u flag for a remote URL. The script will exit with a 0 if there are no issues, 1 if there are any failures or 2 if there are just warnings. The return value can therefore be used in CI tools like Jenkins, CircleCI, TravisCI, etc. to fail a build step.<\/p>\n For example, the configuration below shows how the baseline scan can run in CircleCI with every pull request:<\/p>\n The baseline scan is a great way to check that a single site meets your base security requirements.<\/p>\n In order to run the ZAP Baseline scan against a large number of websites, we have written a set of wrapper scripts specific to Mozilla. You can find\u00a0 generic versions of these scripts in the ZAP community-scripts repository<\/a>.<\/p>\n You will need to customize these scripts as detailed in the README<\/a>:<\/p>\n These scripts will then generate a summary dashboard in your repo wiki:<\/p>\n The baseline scan is highly configurable and allows you to fine tune the scanning to handle your applications more effectively.
\nYou don\u2019t need to have ZAP installed – the zap-baseline.py script uses Docker and is included in the 2 ZAP Docker images:<\/p>\n\n
\nThe script will then report all of the potential issues found.<\/p>\nThis will produce output like: \r\n\r\nTotal of 3 URLs\r\nPASS: Cookie No HttpOnly Flag [10010]\r\nPASS: Cookie Without Secure Flag [10011]\r\nPASS: Password Autocomplete in Browser [10012]\r\nPASS: Cross-Domain JavaScript Source File Inclusion [10017]\r\nPASS: Content-Type Header Missing [10019]\r\nPASS: Information Disclosure - Debug Error Messages [10023]\r\nPASS: Information Disclosure - Sensitive Informations in URL [10024]\r\nPASS: Information Disclosure - Sensitive Information in HTTP Referrer Header [10025]\r\nPASS: HTTP Parameter Override [10026]\r\nPASS: Information Disclosure - Suspicious Comments [10027]\r\nPASS: Viewstate Scanner [10032]\r\nPASS: Secure Pages Include Mixed Content [10040]\r\nPASS: Weak Authentication Method [10105]\r\nPASS: Absence of Anti-CSRF Tokens [10202]\r\nPASS: Private IP Disclosure [2]\r\nPASS: Session ID in URL Rewrite [3]\r\nPASS: Script Passive Scan Rules [50001]\r\nPASS: Insecure JSF ViewState [90001]\r\nPASS: Charset Mismatch [90011]\r\nPASS: Application Error Disclosure [90022]\r\nPASS: WSDL File Passive Scanner [90030]\r\nPASS: Loosely Scoped Cookie [90033]\r\nWARN: Incomplete or No Cache-control and Pragma HTTP Header Set [10015] x 1\r\n\u00a0\u00a0\u00a0 https:\/\/www.example.com\r\nWARN: Web Browser XSS Protection Not Enabled [10016] x 3\r\n\u00a0\u00a0\u00a0 https:\/\/www.example.com\r\n\u00a0\u00a0\u00a0 https:\/\/www.example.com\/robots.txt\r\n\u00a0\u00a0\u00a0 https:\/\/www.example.com\/sitemap.xml\r\nWARN: X-Frame-Options Header Not Set [10020] x 1\r\n\u00a0\u00a0\u00a0 https:\/\/www.example.com\r\nWARN: X-Content-Type-Options Header Missing [10021] x 1\r\n\u00a0\u00a0\u00a0 https:\/\/www.example.com\r\nFAIL-NEW: 0\u00a0\u00a0 \u00a0FAIL-INPROG: 0\u00a0\u00a0 \u00a0WARN-NEW: 4\u00a0\u00a0 \u00a0WARN-INPROG: 0\u00a0\u00a0 \u00a0INFO: 0\u00a0\u00a0 \u00a0IGNORE: 0\u00a0\u00a0 \u00a0PASS: 22<\/pre>\n
\nYou can also generate a default file using the \u2018g\u2019 option: https:\/\/github.com\/zaproxy\/community-scripts\/blob\/master\/api\/mass-baseline\/mass-baseline-default.conf<\/a>
\nAs specified in the generated file header you can change any of the \u201cWARN\u201ds to \u201cIGNORE\u201d or \u201cFAIL\u201d.<\/p>\ntest:\r\n\u00a0 override:\r\n\u00a0\u00a0\u00a0 # build and run an application container\r\n\u00a0\u00a0\u00a0 - docker build -t myrepo\/myapp\r\n\u00a0\u00a0\u00a0 - docker run myrepo\/myapp &\r\n\u00a0\u00a0\u00a0 # retrieve the ZAP container\r\n\u00a0\u00a0\u00a0 - docker pull owasp\/zap2docker-weekly\r\n\u00a0\u00a0\u00a0 # run the baseline scan against the application\r\n\u00a0\u00a0\u00a0 - |\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 docker run -t owasp\/zap2docker-weekly zap-baseline.py \\\r\n\u00a0\u00a0\u00a0\u00a0\u00a0 -t http:\/\/172.17.0.2:8080\/ -m 3 -i<\/pre>\n
Scanning Multiple Sites<\/h4>\n
\n
![\"Baseline-summary\"](\"https:\/\/blog.mozilla.org\/security\/files\/2017\/01\/Baseline-summary.png\")
<\/a>
\nThe \u2018Status\u2019 badge is a link to a page containing the latest baseline results for the relevant application and the \u2018History\u2019 date links to a page which show all of the previous scans.
\nExample pages are included on the community scripts wiki: https:\/\/github.com\/zaproxy\/community-scripts\/wiki\/Baseline-Summary<\/a><\/p>\nTuning<\/h4>\n
\nYou can do things like:<\/p>\n\n