In this video, Garrett Gross, Lead AppSec Specialist at Rapid7, walks us through the integration between Rapid7's industry-leading DAST solution InsightAppSec and the Jenkins automation platform. This plugin enables you to set up customizable pass/fail build conditions in your developers' existing CI/CD workflow. By sharing these tools and processes with your DevOps teams, you can shift security left in the SDLC and deliver more secure experiences for users.
CI/CD refers to “continuous integration and continuous delivery." "CD" can also stand for continuous deployment but, for this video, we’re going to be discussing how our DAST solution works with Jenkins and other automation platforms that facilitate continuous integration and delivery.
Jenkins, much like other automation platforms, integrates with version control systems to execute builds of software, usually triggered by a code commit or on a regular cadence. Within these builds, you can create pass/fail conditions that allow for better quality control over the releases. Functionality can be further extended with the use of plugins, like the one discussed here, to add additional conditions to the pass/fail logic.
On that note, we here at Rapid7 have developed a plugin that leverages access to the Insight platform’s API and allows for the results of an InsightAppSec scan to factor into the build’s pass/fail status. This gives the DevOps team insight into vulnerabilities well before they are released into production and allows security teams to ‘shift left’ and collaboratively augment the DevOps process, rather than interrupt it.
To go even further, the Jenkins integration provides the ability to set up a build to fail if it the scan returns certain results. You could configure it fail only if high and medium vulnerabilities are returned or only vulns with a certain url syntax.
One of the immediate benefits here is the ability to identify and fix vulnerabilities much earlier in the development process. This can save you time and money spent on remediating issues, should the vulnerability be exploited in production.
Plugins such as this one help facilitate integration into your CI/CD workflow but keep in mind that, due to the robust API of the Insight platform, integration with nearly any build automation platform is made easier. The API is fully documented, with an interactive guide in the help docs section of our website, as well as a Swagger file available for download.
I hope this video helped explain how easy it is to integrate InsightAppSec with the Jenkins automation platform and add DAST scanning to your DevOps process. Thanks for watching.
