Automate Application Security Testing Within Your Build Pipeline
Integration Benefits
Integrate dynamic application security testing into the software development lifecycle (SDLC) with AppSpider Enterprise and Jenkins to:
- Reduce the presence of application vulnerabilities exposed to attack
- Identify security bugs earlier in the SDLC, when they are less costly to fix
- Adopt a DevSecOps mentality and reduce friction between security, development, and IT operations teams with an automated, end-to-end workflow
Application development moves at a blistering pace; releases that used to come out once or twice a year now happen weekly, daily, even continuously. While modern web technologies and tools such as continuous integration/continuous delivery (CI/CD) have helped accelerate the pace of development, these same driving forces also make it difficult for application scanners to crawl and test your modern applications. Security teams are having trouble testing applications for vulnerabilities at the rate at which development teams update them, thus creating heightened yet unknown security risk.
This is where Rapid7 and Jenkins can help. Rapid7’s AppSpider Enterprise DAST (Dynamic Application Security Testing) tool integrates with the Jenkins CI/CD solution to help security teams work in parallel with application development. The integration also makes it possible for organizations to adopt a DevSecOps mentality, where security isn’t the responsibility of a single team, but rather a shared mindset between development, IT operations, and security that can be operationalized via automation. Rapid7’s application security solutions are also the only DAST solutions with a Universal Translator, meaning they can scan modern applications, SPAs (Single Page Applications), and APIs and still generate high quality vulnerability results right out of the box.
How It Works
The AppSpider Enterprise and Jenkins integration utilizes a Jenkins plugin designed for AppSpider Enterprise’s robust REST API. The Jenkins plugin, once configured with the URL to the AppSpider Enterprise REST API as well as the AppSpider Enterprise login credentials, makes AppSpider Enterprise scanning available as a post-build Jenkins task.
Figure 1: Adding AppSpider scans as a post-build Jenkins task
After the automated scan executes, the vulnerability report generated by AppSpider Enterprise can be automatically retrieved and placed in the Jenkins build workspace for review, or viewed in the AppSpider Enterprise console.
Creating Custom Integrations with the AppSpider REST API
The AppSpider Enterprise Jenkins plugin utilizes the AppSpider Enterprise REST API to trigger scans during the Jenkins build; that API can also be called directly for additional custom integration actions. Need some ideas for where to start? The following are some of the capabilities exposed in the AppSpider Enterprise REST API:
- Retrieve/Add/Delete AppSpider Scan Engines
- Retrieve/Create/Edit/Delete Scan Configurations
- Retrieve/Create/Edit/Delete Scan Blackout Periods
- Retrieve/Start/Pause/Resume/Stop Scans
- Retrieve Scan Report
- Retrieve Scan Results
- Retrieve Vulnerabilities
- Retrieve Crawled Links in a Scan
- Retrieve/Create/Edit/Delete Scan Schedule
Integration Overview
Download this Integration Overview
Download NowNeed help with an integration?
Please contact Rapid7 for support or assistance at +1.866.380.8113, or view all of our support options.
Get Support