Currently, we have monthly releases. This month I have manually explored the application using OWASP ZAP and saved the session. In the next release i.e, next month can I use the same session to test the new release?
Asked
Active
Viewed 284 times
2 Answers
0
In theory yes, but why do you want to do that?
If its so that you dont need to explore the app again then be aware that if you dont do that then you will probably miss new or changed content and therefore potentially new vulnerabilities. To see all of app you should really explore it from scratch every time.
Simon Bennetts
- 5,479
- 1
- 14
- 26
-
What if there are no new changes related to my scan scenario. In this case, what is the need to scan the entire application once? One more question if any URL is made to false positive in an alert will that stay only for that particular session or ZAP will save this globally so that we can use for new sessions. Please suggest – Vineel Pellella Mar 18 '20 at 06:11
0
Keeping it short and simple, from functional perspective there is no harm in using the previously saved owasp zap session for the new release.
Why shouldn't you use the previously saved ZAP session
A new software release will essentially contain either/all of the following:
- New Features
- Feature Enhancements
- Bug Fixes
In the due coarse of the above mentioned aspects the functional and non-functional requirements of the product might have changed as well interms of:
- Technical Details
- Data Manipulation
- Processing
These changes may address the previously discovered security risks and vulnerabilities of the system and its data as well as add new security risks and vulnerabilities too.
Conclusion
So, from the above mentioned reasons, it is always advisable to initiate the Software security-testing activity from a clean test environment, i.e. using a new zap session.
undetected Selenium
- 183,867
- 41
- 278
- 352