Developers keep finding new ways to deliver higher-quality software faster—and automation is playing a big part in that transformation. But to avoid introducing new flaws at that same hurry-up pace, security needs to be integrated directly into the development lifecycle.
For many modern dev shops, Jenkins has become the open source engine of CI/CD (continuous integration/continuous delivery). Jenkins and its community have given rise to hundreds of plugins, including those that automate security. There's no reason why repetitive tasks, such as determining how an application handles malicious inputs or checking for known vulnerable components, must be performed manually. Jenkins' thriving marketplace of plugins can deliver the automated security testing you need.
Developers want fewer roadblocks and organizational silos, so they can focus on code. Automated unit, integration, and acceptance tests act as critical quality controls in CI/CD because they assure developers that they're working on stable code. If automated tests fail, then developers know a bug that needs to be fixed—before software reaches production.
Jenkins is highly extensible, so the first and most obvious approach is to download security plugins from the Jenkins marketplace. But you can also integrate Jenkins with external security platforms, so Jenkins can kick off the tests on the scanner and retrieve the results. Finally, if the security testing tool can run from the command line or from a Docker container, it's trivial to invoke them from Jenkins Pipeline (the suite of plugins that automates CI/CD).
By adding these security plugins to Jenkins, security intertwines with development, so it's far more likely that developers will write better, safer code.
ZAP web app flaws
The open source Zed Attack Proxy (ZAP) tool from the Open Web Application Security Project (OWASP) helps developers test for common vulnerabilities found in web applications, such as SQL injection and cross-site scripting. There are multiple plugins that claim to implement ZAP for Jenkins, but most of them are woefully out of date. Stick with the Official OWASP ZAP Jenkins Plugin to get the latest version of the tool.
ZAP analyzes the code to find security vulnerabilities in the application and generates an XML, XHTML, or JSON report listing all the issues found and the corresponding threat level for each. For example, ZAP would be able to flag error messages or warning text in the application that disclose too much information about the application’s file structure.
Once the plugin has been installed, create a postbuild step to automatically run ZAP. This way, the plugin will kick off the tests every time the application completes its build. It can also run prebuild as part of a Selenium test.
Sign up for Computerworld eNewsletters.