Whether or not the tests can block delivery is a decision that each team has to make. This is a cultural question: on how well security is integrated into the dev and ops teams, and not a technology or process question.
Integrating with external scanners
For many development teams, the reality is that Jenkins handles the builds and automated application testing and a dedicated security platform handles security testing. A series of scripts connect the two platforms, which makes the entire process brittle and difficult to maintain.
A number of commercial security scanners have released plugins to integrate with Jenkins, so it’s always a good idea to check if one exists. The plugin will let Jenkins retrieve test results and inform the developer of the issues at the same time it is providing information about other bugs. Don’t make the developers go to a different platform to find out about the issues if they can be presented at the same time.
- IBM Security has a static code analyzer, AppScan Source for Analysis, and a dynamic scanner, AppScan Standard. Instead of using custom batch jobs or scripts to perform automated scanning, set up the job within Jenkins to kick off the tool, and the plugin will work with the provided configuration rules to take care of the rest.
- The Appspider plugin automatically triggers Appspider postbuild. The generated report is stored in the plugin’s workspace, so developers don’t have to go to the Appspider Enterprise web interface to see the results.
- VAddy is a cloud-based security scanning service that runs end-to-end black box security tests for SQL injection, cross-site scripting, remote file inclusion, command injection, and directory traversal vulnerabilities on web applications, forms that use CSRF tokens, and REST API servers. It, too, has a Jenkins plugin. Set up the VAddy plugin with the host name of the server containing the application, and it will initiate the scan after Jenkins postbuild. (Don’t use VAddy to scan production servers!)
- There's no reason why Docker images can't get some security testing, as the Aqua Security scanner can look for vulnerabilities inside Docker. For the plugin to work, Docker must be installed on the same machine as Jenkins because the scanner itself is deployed via a Docker container and the
jenkinsuser added to the
dockergroup. The plugin can scan a local image or a hosted image.
- HPE Security's cloud-based application security testing service Fortify On-Demand can be called as a postbuild action via the plugin. Once the plugin is installed, the code can be uploaded from Jenkins to the cloud service for static application security testing every time a build completes. The plugin can also be configured to scan open source libraries and third-party components to look for known vulnerabilities, improperly used licenses, and outdated versions.
- Teams that use Contrast Security’s Contrast Enterprise for their vulnerability management can install Contrast Enterprise plugin for Jenkins. The postbuild action compares the number, type, and severity of vulnerabilities against a predefined threshold; if there are too many, indicate that these are showstoppers and need to be fixed.
- Black Duck Software offers a Black Duck Hub plugin for Jenkins, which helps identify known vulnerabilities in open source components, set up open source security policies, identify license issues, and detect modified open source components. Much like the OWASP Depedency-Check mentioned earlier, Black Duck Hub informs developers of problematic dependencies earlier in the lifecycle.
Expand the tool set
Sign up for Computerworld eNewsletters.