OWASP ZAP (Zed Attack Proxy) is an open-source Dynamic Application Security Testing (DAST) tool. It acts as an automated penetration tester — it crawls the application, sends malformed and adversarial requests, and reports security vulnerabilities it finds at runtime.
This section documents the security hardening and quality assurance practices introduced in Story 018 — QA Security Hardening & Launch. It covers every layer of the RCB platform: HTTP security headers, automated vulnerability scanning, load testing, end-to-end browser testing, and the operational runbook for migrating the database from MySQL to PostgreSQL.
The RCB platform runs a comprehensive security scan every Saturday at 02:00 UTC. This automated workflow catches newly disclosed CVEs in dependencies, verifies security headers are present, and runs a DAST scan against the staging environment.