This blog post is part three of our ongoing Automation with InsightAppSec series. Make sure to check out part one and part two to see everything you can achieve when combining InsightAppSec with automation.
As with our InsightAppSec Plugin for Jenkins and InsightAppSec Extension for Azure DevOps, Rapid7 is excited to announce the release of a new plugin for Atlassian Bamboo with the goal of integrating InsightAppSec into the software development life cycle (SDLC).
The InsightAppSec Plugin for Atlassian Bamboo is a first-class experience for integrating Rapid7’s dynamic application security testing (DAST) into Atlassian build and deploy pipelines, making it an easy way for security and development teams to implement it in a manner that provides value for all involved.
While security practitioners and web application developers may not always agree on what is or isn’t a false positive, we can certainly help find common ground on how to implement a solution to make it easier for all involved. In this post, we'll review the benefits of implementing this plugin to help alleviate any of the common concerns regarding the embedding of application security testing into the SDLC.
Embed security within the SDLC
“Shifting left” by embedding security into the SDLC is not something we’re doing to simply add greater complexity into the process. On the contrary, this shift addresses real problems by embedding into the place best suited for those most impacted—the product and development teams. This is a security team’s opportunity to provide convenience to those most impacted when the SDLC is altered by adding security testing.
As maturing teams look to integrate their DAST tools into the SDLC, it is important to take a transparent, first-class approach that fits nicely into one of the most important tools of a development team’s stack: continuous integration and delivery (CI/CD). As Rapid7 considered the struggles a team may encounter when implementing application security testing, we identified three key challenges that could be solved with a CI/CD plugin. These solutions should benefit both development and security organizations to create a natural and collaborative approach for identifying and resolving security findings.
|Inability to trigger InsightAppSec scans when applications are deployed||CI/CD plugin to initiate InsightAppSec scans as part of the build and/or release pipeline.||For the security team, InsightAppSec becomes a key component of a maturing SDLC while shifting left.For the application team, scans are initiated in a timely manner instead of weeks/months after code changes have been made.|
|Inability to get high-level metrics of InsightAppSec scans as part of continuous deployments.||Automate generation of a report with rollup of metrics, including criticality and attack module, based on InsightAppSec scan results triggered as part of a build and/or release pipeline.||The security team has the ability to provide scan results to application teams without manually running reports or building spreadsheets.The application team can provide scan findings within a common tool.|
|Inability to gate application deployments as part of a CI/CD pipeline based on the results of an InsightAppSec scan.||Implement native and easy-to-configure CI/CD plugin feature to allow pipeline gating based on scan results.||The security team can communicate problems immediately and avoid promoting vulnerabilities to production.The application team receives direct visibility of enforced gating, as well as the ability to receive immediate feedback of scan results.|
Developer: “Let me use my tools!”
Security teams have surely worked with development teams that don’t want to learn another tool. So then, why is it important to incorporate security into the tools of developers? Why not just make them use your tool directly?
For one, development and DevOps teams already have a large number of tools they have to incorporate, such as CI/CD, code analysis, IDEs, Docker, and so much more. Piling another tool on top of those can result in unnecessary complexity and lack of willingness to adopt. By bringing security to a development team with a collaborative solution, you are more likely to get buy-in. For example, instead of expecting every developer to start logging into InsightAppSec every morning to see what vulnerabilities were found for their application, you can bring the scan and scan results directly to them!
Reaching common ground with the InsightAppSec Bamboo plugin
To better envision the role the InsightAppSec Bamboo Plugin plays, let’s take a look at a scenario where it’s included within an organization’s simplified SDLC:
- Code Changes: Developers make code changes within a project and push them to the project’s central repository.
- Build Code: The updated code is built within the project.
- Test Code: Any automated tests are executed to further confirm correct functionality within both existing and newly added features.
- Release: The application is released or deployed to its designated environment.
- InsightAppSec: Security scanning takes place for the application via the plugin in Atlassian Bamboo by communicating with InsightAppSec.
The plugin makes it extremely easy to start embedding InsightAppSec into the SDLC. Once logged in to Bamboo, an administrator simply needs to “Find new apps” and search for “InsightAppSec”:
Once installed, you are ready to begin configuring the plugin’s key component, the Rapid7 InsightAppSec Scan task:
After configuring the task based on the documentation provided here, you are ready to get started! The help documentation has provided examples of configuring and running the task, and there are tooltips within Bamboo to assist with configuration.
Giving developers the control and visibility they need
As promised, we also provide the ability to gate and view the results of a scan. Not only is this valuable to security teams to block releases from continuing to production, but it’s also valuable to developers for setting clear expectations.
And if that wasn’t enough, you can also take advantage of the metrics and findings that can be generated and saved as artifacts for the build jobs:
You don’t need to wait for the security team to tell you what to fix; you have the ability to review the findings and get started right away. We wanted to make this experience easier than most interactions while implementing security, so take advantage!
Get started today
Leveraging the Rapid7 InsightAppSec plugin as part of an Atlassian Bamboo build or release pipeline can provide organizations an easy and convenient way to embed application security testing into the SDLC in a collaborative and team-first manner. The plugin facilitates automated scanning in a highly agile environment where code changes occur frequently, while also allowing security to mature by “shifting left” and identifying code changes that may negatively impact an organization's security posture. The impact through its implementation will allow for both security and application teams to benefit from the incorporation into the SDLC.
The Rapid7 InsightAppSec Bamboo plugin is currently available on the Atlassian Marketplace for free and can be downloaded for installation and usage within Atlassian Bamboo. The plugin itself is also fully open source, and the project is available on GitHub for those who would like to make contributions. They are always appreciated!