IMPLEMENTASI OWASP ZAP UNTUK PENETRATION TESTING PADA WEBSITE PEMERINTAH KOTA MALANG

This research evaluates the security of Malang City Government website (https://malangkota.go.id/) through penetration testing using OWASP ZAP with PTES framework. The methodology covers seven systematic stages from intelligence gathering to reporting. Scanning results identified six security alerts, with three confirmed as true positives after manual validation.
Findings show OWASP ZAP achieved 50% accuracy on Cloudflare WAF-protected website. Identified vulnerabilities were predominantly in Security Misconfiguration category (OWASP Top 10 A05:2021), mainly absence of Content Security Policy Header and insecure cookie configuration. Analysis revealed limitations of automated scanning against WAF-protected websites, making manual validation a critical component.
Based on the findings, the study formulates mitigation recommendations based on NIST SP 800-115 and ISO/IEC 27001, including security headers implementation, security configuration optimization, and security monitoring enhancement. These recommendations are expected to improve the website's security maturity level toward Managed and Measurable.