The ability to automate security testing further streamlines application development and deployment, and organizations across markets and services are looking for ways to integrate and institutionalize security testing. As such, many have implemented DevOps pipelines orchestrated with tools like Jenkins, UrbanCode, Bamboo, or others.
Our customers are no different. They want to integrate testing with Jenkins continuous integration server for more robust, rigorous, and automated processes. Our IBM Application Security on Cloud plugin for Jenkins achieves this integration.
With the implementation of this Application Security in Cloud plugin for Jenkins, users can set up automatic scanning for static, dynamic, and mobile scanning. Such automated application security testing frees up your development team to focus on features while potential security issues are found faster and more consistently. Meanwhile, your security team and focus on manual penetration testing and remediation's.
To enable automatic security scanning with Jenkins:
1. Install the Jenkins plugin:
a. In Jenkins, go to Manage Jenkins > Manage Plugins.
b. On the Available tab, locate and install the IBM Application Security on Cloud plugin.
2. Setup credentials:
a. From the main Jenkins dashboard, go to the Credentials page.
NOTE: You can also add credentials within folders to limit the scope to just that folder and it's subfolders.
b. Add new credentials.
c. In the Kind drop-down, select IBM Application Security on Cloud.
d. Enter your API key ID and secret. If you don't know your ID and/or secret, click the link to create one or both.
3. Add a Run Security Test step to your Jenkins job:
a. From your Jenkins project page, click the Configure link.
b. Click Add Build Step and choose Run Security Test.
c. Fill in the options for the security scan and how you want Jenkins to run the job, then click Save:
Credentials: Select the credentials you added to Jenkins in step 2.
While the scan is running, you can view scan summary data on the Jenkins dashboard
Application security isn’t the concern of only a select few in your organization. It’s a critical part of your business. By automating application security testing, you institutionalize it across multiple teams
Learn more about the ASoC Jenkins plugin here
Senior Technical Specialist, AppScan