Third 50 Hours

During my third phase of internship hours, I made the most meaningful progress I have achieved so far. I transitioned away from the older, packaged OWASP ZAP scans and fully adopted the newer ZAP Automation Framework. This framework allowed me to configure more advanced workflows and gave me better control over how scans were executed and reported. I completed the automation so that every time a merge request is opened and a commit is pushed, a ZAP scan automatically runs. In addition to running the scan, I built a system that automatically generates a GitLab comment on the merge request activity thread. This comment summarizes the findings from the latest scan and categorizes them by severity, including high, medium, low, and informational alerts. Finishing this end-to-end automation felt like a major turning point in my technical confidence.

One of the biggest improvements during this period was how focused and efficient my process became. Earlier in the internship, I was running scans manually because I didn’t fully understand automation. Over time, I watched tutorials and studied Python automation more seriously, which allowed me to write a script that posts scan findings directly into the merge request discussion. This helped me understand how security tools can be integrated into developer workflows instead of being treated as separate, manual steps. I also worked with different report formats and templates, although I eventually chose to stay with the standard HTML format. Some alternative templates required external CSS files that were not properly embedded, and since formatting was not critical to the core functionality, I prioritized the automated commenting system instead.

I did face several technical challenges. When building the automation script, my comments initially failed to post because I had not configured the GitLab API authentication token correctly. Once I corrected that, I ran into syntax and formatting issues within the script, which required careful debugging. These problems taught me the importance of authentication setup, clean scripting practices, and understanding API permissions. Rather than becoming stuck, I learned how to troubleshoot issues more systematically and improve the stability of my code.

Communication improved significantly during this phase. I interacted more frequently with my supervisor and gave a live demonstration of my completed ZAP automation. He was very pleased with the functionality and provided constructive feedback, including recommending that the informational severity be removed from the summary since it adds noise rather than value for quick reviews. That feedback helped me think more critically about how security results should be presented to developers. While I did not create formal documentation or help other team members directly, I felt much more engaged and confident when explaining my work.

One area that remains unclear to me is the overall impact of my work. I don’t yet know whether my project will be fully adopted or merged into the main codebase, and that uncertainty sometimes makes it difficult to measure the real-world value of my contributions. However, I can clearly see how much my own skills have grown. I now understand how security automation can be embedded into CI/CD pipelines in a practical way, instead of only understanding it in theory.

Toward the end of this phase, we were finally granted access to AWS environments, although the permissions were limited and did not include full visibility of security-related services. I did not have enough time to deeply explore AWS, but I plan to request more access if possible. I also became aware of a recent supply-chain style attack involving a compromised npm package, which my supervisor asked us to stay alert about. We began looking through project package files to check whether any vulnerable dependencies were present. This experience made me more aware of how real-world vulnerabilities can appear inside everyday development environments.

Overall, this final phase represents my strongest period of growth. I fully completed my OWASP ZAP automation project, improved reliability and clarity in the pipeline, and gained confidence in building security-focused automation. I will leave this internship with a clear goal of continuing to build hands-on experience in AWS, especially with cloud security tools. I also want to continue improving my communication so I can better explain technical work and its value. I feel honest and confident about the progress I made and the foundation this internship has given me.