11/20/2019 | News release | Distributed by Public on 11/20/2019 08:05
Rapid7 is excited to announce the release of a new integration to incorporate InsightAppSec, Rapid7's web application security testing solution, within Jenkins to improve release cycles and reduce the number of vulnerabilities that go into production.
Developers receive thousands of vulnerabilities every week, but have little time to fix them, especially if they're already in production. However, addressing vulnerabilities in production isn't easy and often costs more, both in terms of time and resources.
Because of this, more and more organizations are 'shifting left,' or moving security to earlier on in the software development lifecycle (SDLC), where bugs and vulnerabilities can be caught before anything is pushed to production. Here, these issues are much faster and easier to fix, and importantly, they never reach your end users.
[Whitepaper] A Step-by-Step Guide to Shifting Left and Embracing a True DevSecOps MentalityFree Download
This is possible by integrating dynamic application security testing (DAST) earlier in the SDLC through build automation frameworks like Jenkins. Leveraging tools that the DevOps team already uses makes it easier to integrate security into the process, since it's built into their existing workflow and doesn't require learning another tool or method.
Our new integration: InsightAppSec and Jenkins
Built to help automate the non-human part of the software development process, Jenkins is a popular solution for DevOps to implement continuous integration/continuous deployment (CI/CD). Our new integration between InsightAppSec and Jenkins allows you to run highly targeted scans such as on a shopping cart or product search before it goes out into the wild so it can be fixed faster and cheaper.
The InsightAppSec API key allows Jenkins to connect and launch a scan, check on the scan status, and more. It's as simple as adding a build step using InsightAppSec and then selecting an application to be scanned. Depending on your organizational structure and how collaborative your security and DevOps teams are, scan queries can be decided as a team or individually.
You can configure it to scan and respond based on the query response. For example, you could require it to fail the build if a scan returns a high-severity vulnerability, if a scan is pending for more than an hour, or if the scan takes more than 6.5 hours to execute.
Results are delivered to the dev team right in the Jenkins dashboard within an hour, enabling them to rapidly implement changes.
Powered by InsightAppSec, not only does the scan return any possible vulnerabilities found, but it also prioritizes them based on severity level so that busy developers can focus on the ones that matter most without getting bogged down by hundreds of others.
Powered by the InsightAppSec API
Our Jenkins integration, along with all of our other integrations, is driven by the InsightAppSec REST API. The API makes it possible to integrate with nearly any solution, enabling workflows like these to be created and available faster to support the growing needs of today's security and DevOps teams.
Better together; better release cycles
Security and DevOps teams are better together, and so are the tools they use. By bringing the functionality of application security directly into DevOps' favorite tools, this integration enables collaboration to flow instead of feeling like a push-pull stalemate.
When appsec is automated into the SDLC, teams can maintain their rapid development cycles and stay on top of security. In this way, application security becomes a part of the process, not a hindrance. Since InsightAppSec is specifically designed to highlight exactly what's wrong and how to take action on it, the information developers receive in Jenkins through the integration is highly actionable, making vulnerabilities easier to remediate and shaving off thousands of expensive development hours every year.
To get started with the integration, it's available directly through the Jenkins store. Because it is a free, open-source integration, you can add it just like you would a Chrome extension and it's up and running for you to use right away. Get started here.