/oct 30, 2019

Veracode Dynamic Analysis + Jenkins: Integrate DAST Into Your CI/CD Pipeline

By Marina Kvitnitsky

It’s the age-old dilemma – balancing the need to ensure applications are secure with the need to release applications and updates on faster and faster schedules. With many teams adopting the principles of DevSecOps, and implementing security checks as early as possible in the SDLC, a key aspect of success is integrating security with the tools that development teams already use.

The Veracode Dynamic Analysis + Jenkins integration allows you to automate DAST scanning by creating post-build resubmit and review actions through the freestyle build or resubmit and review steps as part of the pipeline build.

Why integrate DAST scanning into your CI/CD?

To get the most comprehensive understanding of your risk, it’s best practice to implement multiple assessment types throughout the SDLC. In this way, you not only identify flaws in code, but also find exploitable vulnerabilities that have made it into production that could leave your organization open to a breach. One way to get a complete view into these exploitable vulnerabilities is to perform regular Dynamic Application Security Testing (DAST) scans on your web applications. DAST scanning can take place as early as test or QA but often is performed on runtime web applications to monitor the application for vulnerabilities that may not have been caught by earlier forms of testing.

In the past, DAST scanning was viewed as a slower assessment type and incompatible with more rapid development processes like CI/CD; however, thanks to a newly released integration between Veracode Dynamic Analysis and Jenkins, development teams can perform these critical checks as a part of their regular release cadence. This integration will leverage the tools and processes that development teams are already using and will make ensuring developer adoption a much easier task for the security team.

Creating post-build actions with freestyle or pipeline builds

Veracode knows that development teams use Jenkins differently, and that is why we have built in flexibility in how this integration can be used. With the freestyle builds, you can leverage Global Veracode API account credentials to set up resubmit and review actions.

Resubmitting Veracode Dynamic Analysis scans in Jenkins

Resubmitting your DAST scan will ensure that you are able to see the most up-to-date vulnerability data for your web application. With rapidly changing applications and an ever-evolving threat landscape, an application that was secure during one release pipeline may no longer be secure for the next. The ability to resubmit scans ensures that your teams are checking for exploitable vulnerabilities and remediating the ones that are found right from their Jenkins instance. You can configure each resubmit action for specific analyses as well as for scan duration, which will help your teams fit DAST scanning into their release pipelines.

Reviewing Veracode Dynamic Analysis results in Jenkins

Once your teams have run Veracode Dynamic Analysis, it is easier for them to review their results from within Jenkins instead of in the Veracode Application Security Platform. This integration allows you to review the DAST results of any linked application right in Jenkins and see whether your application meets or fails policy.

Failing the Build

It is important to note that development teams can automatically fail the build and stop the application from releasing if the application does not meet security policy. With the Veracode Dynamic Analysis + Jenkins integration, development teams can fail the build if:

  • A scan takes too long as part of the resubmit action
  • Results don’t return within a certain timeframe as part of the review action
  • The results fail policy as part of the review action

This ensures that your teams are unable to release insecure applications prior to a full security audit and will greatly reduce your risk of a breach.

Ultimately, integrating Veracode Dynamic Analysis into your CI/CD pipeline will help to make your web applications more secure. To learn more about setting up this integration, please visit the Veracode Help Center or reach out to Veracode Support.

Related Posts

By Marina Kvitnitsky

Marina Kvitnitsky is a Product Manager for Integrations at Veracode, with a mission to shift Veracode solutions left in the development process. Prior to Veracode, Marina has worked as a Product Manager for several other companies in Boston area, including Global Capacity and EMC.