The CI/CD environment allows software to be built and delivered at speed. To do this, it makes heavy use of automation. However, releasing software quickly can be a risky business. How do you avoid critical security bugs with such a rapid release schedule? This problem creates a real need for security in CI/CD pipelines.
CI/CD security solutions like Burp Suite Enterprise Edition give you the safety net you need to support agile development. The assurances it gives you enable DevSecOps - shifting security "left", to the start of the development lifecycle.
Advantages
The primary aim of CI/CD is to improve release velocity - so the last thing you want to do is negate that through security testing. Properly implemented CI/CD security removes bottlenecks. This hastens, rather than hampers delivery speed. But this needn't come at the cost of quality. Security improves. Compliance is often easier to achieve because of it.
And the benefits of secure CI/CD don't end with increased agility. Applications that are built secure make penetration tests more effective. Testers can concentrate on the advanced vulnerabilities they're supposed to find, rather than advising on basic security measures. Pentesting isn't cheap - so the value you gain from it will rise accordingly.
You can integrate Dastardly with Jenkins. This enables you to run Dastardly web vulnerability scans as a stage in your existing CI/CD pipeline.
Integrate Dastardly with Jenkins
Requirements:
- Your Jenkins server or build node must have Docker installed.
- No plugins beyond the Jenkins defaults are required to run Dastardly in a Jenkins CI/CD pipeline.
- For information on the machine specification required to run Dastardly scans, see the Dastardly system requirements.
Configuration:
- From the Jenkins Dashboard, click New Item.
- Enter an item name for your pipeline, click Pipeline, then click OK.
- Creating a new pipeline in Jenkins.
- You can give your pipeline a Description.
- From the side menu, click Pipeline.
- From the Definition drop-down, select Pipeline script from SCM.
- Configure the Pipeline section to point to a
Jenkinsfilein your code repository. You must include any credentials used to access the repository. - Click Save.
Create a Jenkinsfile in the corresponding location in your code repository. Add the following content to the file:
// Jenkinsfile (Declarative Pipeline) for integration of Dastardly, from Burp Suite.
pipeline {
agent any
stages {
stage ("Docker Pull Dastardly from Burp Suite container image") {
steps {
sh 'docker pull public.ecr.aws/portswigger/dastardly:latest'
}
}
stage ("Docker run Dastardly from Burp Suite Scan") {
steps {
cleanWs()
sh '''
docker run --user $(id -u) -v ${WORKSPACE}:${WORKSPACE}:rw \
-e BURP_START_URL=https://diskdastardly.local/ \
-e BURP_REPORT_FILE_PATH=${WORKSPACE}/dastardly-report.xml \
public.ecr.aws/portswigger/dastardly:latest
'''
}
}
}
post {
always {
junit testResults: 'dastardly-report.xml', skipPublishingChecks: true
}
}
}
You can set BURP_START_URL to a seed URL for any application you want to scan.
Here, BURP_START_URL is set to https://diskdastardly.local/ - this is a deliberately vulnerable web application designed for testing web vulnerability scanners.
The next time your pipeline runs, Dastardly will scan the application you have set under BURP_START_URL.
Results
- Run your Jenkins pipeline containing Dastardly, and allow the scan to complete. Scans run for a maximum of ten minutes.
- Access the scan results by clicking the most recent build under Build History.
- Click Test Result. Here you can see any failed tests. See more details of a failed test by clicking it.
Advices
You can see remediation advice for security issues that Dastardly finds under Stacktrace. This includes links to relevant sections of the free Web Security Academy resource, which provide further detail on web security vulnerabilities.
Dastardly security issue remediation advice, shown in Jenkins.
You can see evidence of security issues that Dastardly finds under Stacktrace. This evidence includes the request sent by Dastardly to produce the issue, as well as the response sent by the application.
Ref: https://portswigger.net/burp/documentation/dastardly/jenkins
Top comments (0)