This setting will prevent the creation of tags within Kenna based on the connector metadata. When this option is enabled, Kenna will not import vulnerabilities that do not include a CVE, CWE, or WASC ID.
.png "zed attack proxy")
To have these settings enabled, or for more information, please contact Support, or your Customer Success Engineer. The following settings can be enabled on the backend for ZAP Connectors. These items are turned into Tags in Kenna Kenna maps scores from our Scoring Database
Closed vulns are no longer present in these reports and Kenna will auto-close the vulnerability. Open vulnerabilities are reported in application scan reports. We do not map False Positives or Triage States. We combine the plugin ID information with the reported Port information for the Scanner ID Thus, you can search for ip via the hostname:”*” search in Explore. Note: Hostname can be reported in the form of an IP Address from ZAP. Search for Application identifier in Kenna by using the custom query box and typing application:"*" What ZAP Items does Kenna Import? ZAP Field Load the file to the Kenna Connector via Drag and Drop, or search for and upload. Take the file and Add the XML extension if not already present Run scans in accordance with your established scanning process.ĭelete sites that are out of scope from the Sites Window Steps to export data from ZAP and load data to KennaĪfter following the pre-requisite of enabling the connector listed above, go back into ZAP. If you attempt to load the source file without the xml extension, we will reject the file for improper format. The export format should be XML, but ZAP does not add the XML extension by default in certain cases, and thus you will need to manually add the XML extension information and save before loading the data to Kenna. To workaround this item, you will want to remove/delete sites that are not in scope. The returned data from those sites are included in the exported data.Įxample: You scan and it has a reference link to a Google API. Therefore, the first link to is included in the ZAP data therefore it comes over to Kenna. When ZAP runs, it can see other sites even if they are out of scope. We recommend an asset inactivity limit of 2-3x the scan cadence of your ZAP Scans if you plan to upload regularly.If you do not set an Asset Inactivity Limit, the Global Limit will apply to data ingested by this connector. Connector-level asset inactivity limits take precedence over the global inactivity limit.Asset Inactivity Limit (days): Use this if you wish to set an inactivity limit for assets ingested by this connector.
Name: Enter a name for the connector, or leave it as “Zed Attack Proxy". Once you select the ZAP Connector the following screen will appear: On the Connectors page, select the ZAP connector. To set up the Connector, navigate to the Connectors tab in your Kenna deployment (you must be a Kenna Administrator to do so).
The user account you are leveraging must have access to the reports you would like to export. Given that the Connector is an XML connector the Virtual Tunnel or Kenna Agent is NOT required.
#ZED ATTACK PROXY FULL#
The Connector is a full run connector and does not support incremental runs (non-API Connector). To learn about XML vs API connectors, click here. The ZAP Connector is an XML connector at this time. To import your data from ZAP to the AppSec module, you will need to leverage the ZAP Connector under the Dynamic Assessment tools on the Connectors Page. It is one of the most active Open Web Application Security Project projects, and is maintained by a team of international volunteers.
#ZED ATTACK PROXY PROFESSIONAL#
It is intended to be used by both those new to application security as well as professional penetration testers. OWASP ZAP (Zed Attack Proxy) is an open-source web application security scanner.
0 kommentar(er)
