The list of security plugins specific to Jenkins is still fairly short, but there are plenty of commercial platforms that can integrate with Jenkins. For the bulk of open source security testing tools, however, the best option is to set up the tools inside Docker containers and invoke them from Jenkins.
For example, Gauntlt is an open source security tool that runs other security tools, such as nmap, to run attacks such as cross-site scripting and SQL injection against the application, or to find insecure configuration settings. Gauntlt typically runs on its own server; an easy starter gantlt-starter-kit VirtualBox virtual machine provisioned via Chef helps teams get started with the tools, dependencies, and common tests. Gauntlt can be set up within a Docker container, and from there it can be integrated with Jenkins.
Built on Cucumber, Gauntlt provides developers, security, and operations a common natural language framework for understanding the issues found. One build command can kick off thousands of security tests, scans, and attacks specifically written for the application, and when the tests complete, Gauntlt exits with an easy-to-read message and a meaningful exit code. This can be parsed using the above Finder plugin.
BDD-Security is another open source security testing framework that relies on other tools. Essentially a set of Cucumber-JVM features, BDD Security uses Selenium, OWASP ZAP, and SSLyze. BDD-Security relies on Selenium because it tests web applications and APIs externally, and it doesn't require access to the code. There's no need for plugins, since BDD-Security’s JUnit output can operate directly with Jenkins. It works with the Gradle build system, you can opt for the Gradle build task to kick off the tests, then add a postbuild action in Jenkins to publish the JUnit test results.
Bring security health checks to the application
Security testing frequently falls by the wayside because developers feel there's no time to do them. That’s true—if the plan is to do a top-down penetration test or a full-blown code analysis assessment. But many of the security vulnerabilities that plague modern development can be flagged long before the application is ready for a complete assessment. Static code analysis can be done on each code commit and penetration testing can be completed as part of the deployment phase.
Checking every time the software is built to see whether any of the included open source components is outdated or vulnerable can stop a whole range of potential security vulnerabilities and, even better, be automated easily.
Security is an underappreciated aspect of software development. One of the least obtrusive and most effective ways to ensure security is to integrate security tools into a developer's existing arsenal. If Jenkins is your CI/CD server of choice, you have an abundance of automated security tools to help your teams detect vulnerabilities earlier and maintain reliable software. In the end, everyone benefits.
Sign up for Computerworld eNewsletters.