In Chapter 8, Infrastructure Security, we introduced the uses of Gauntlt, the BDD security framework. Here we will introduce another BDD automation testing framework, Robot Framework. The reason that we also introduce Robot Framework is that it's widely used in automation testing and also supports various kinds of testing frameworks, such as Selenium for web UI testing, and Requests for REST API testing. Its flexibility and simple keyword-driven script make Robot Framework a good fit for security testing automation. Robot Framework is a generic automation framework for acceptance testing and ATDD. We will use Robot Framework to manage the execution steps of ZAP. The typical web security scanning steps with ZAP are listed here:
- Start a headless ZAP
- Create a new ZAP session
- Perform a spider scan
- Perform an active scan
- Review the scanning results and ZAP alerts
In the following steps, we will demonstrate one simple ZAP spider scan to understand how Robot Framework can be used to do security testing with OWASP ZAP.