Have you tried scanning hundreds of web applications in a single day?
In this talk, I will explain how we use OWASP ZAP to scan web applications at scale, detailing the various challenges we faced and what solutions we implemented.
The talk will cover various challenges:
- Queueing and organizing URLs for scanning
- Authentication and session renewal
- Slow web applications and blockages
- Duplicate vulnerabilities
- Resource management (CPU / RAM / HD)
- Scan monitoring
All the work was done on top of OWASP ZAP, with various changes submitted to the project. ZAP was used for scanning, with the - crawling being done by a third-party component.