start portlet menu bar

HCLSoftware: Fueling the Digital+ Economy

Display portlet menu
end portlet menu bar
Close
Select Page

All web application projects use client-server architecture, with code being pushed to an online repository for ease of collaboration. This method also comes in handy to enable continuous integration and delivery (CI/CD) of our app and our server. Azure DevOps is one such platform that offers a complete package from building to deploying an application and managing our CI/CD pipeline. Ever thought how secure is our newly deployed application and is there a way to integrate security test into the CI/CD pipeline? The answer is Yes. Let us explore how to achieve this using HCL AppScan extension.

Installation and Configuration

The extension can be downloaded  freely from the Azure DevOps marketplace.

Once the extension is installed, it needs to be configured with AppScan Enterprise (ASE) credentials with theKeyID and using the Service Connection in Azure DevOps.

Achieve DevSecOps in Microsoft Azure DevOps

Achieve DevSecOps in Microsoft Azure DevOps

Enter the ASE Server URL (format of the URL is like https://<hostname>:<port>/ase) , provide the key and secret. Follow this link to generate keyId and Secret in the ASE

Pipeline Configuration

Create a new pipeline and add a task of type HCL AppScan Enterprise as shown below.

Achieve DevSecOps in Microsoft Azure DevOps

Enter the relevant details for the added task in the pipeline. We can get folder ID, Template ID, Test Policy ID and Application ID using the ASE REST APIs. The “Starting URL” field is the URL of the application to be security scanned. A sample of the same is as shown below.

Achieve DevSecOps in Microsoft Azure DevOps

Using YAML script

yaml script can be used for the scan configuration as shown below.

Example is shown below.

steps:

-task:HCLTechnologies.ApplicationSecurity-VSTS.custom-ase-task.HCLAppScan Enterprise@2

displayName: ‘Run HCL AppScan Enterprise Security Test’

inputs:

ServiceEndPointAse: ‘ASE_227’

jobName: ‘MyFirst_Azure_Scan’

folderId: 4

templateId: 7

testPolicyId: 8

startingURL: ‘https://demo.testfire.net’

loginMethod: None

optimization: Fastest

suspend: false

If yaml script is being used for your deployment, you can add the above step. If not, you can add the task like one mentioned in previous figure.

The HCL AppScan extension is now ready to be incorporated with your project’s CI/CD pipeline.

Main Features

  1. We can scan the newly deployed websites or any other locally hosted sites or public sites and then add a security task so that it is security scanned.
  2. The task can scan specific flows of the websites (newly deployed ones or locally hosted ones or public sites) using Activity Recorder. This small utility enables you to record traffic and actions from your website and upload those recordings to the AppScan Dynamic analysis tool of your choice – HCL AppScan Enterpriseor HCL AppScan Standard or  HCL AppScan On Cloud.The recorded files can be stored in “Azure Repos Git”, “GitHub”, “GitHub Enterprise Server” or “Bitbucket Cloud” and path of the recorded files can be specified in the pipeline configuration so as to use the same.
  3. We can add multiple tasks of type HCL AppScan Enterprise, thereby able to scan many sites in a single pipeline. The security summary of issues of each of them would be displayed along with the security test report. This report contains scan issues along with Remediation for the issues reported.
  4. Supports enablement and configuration of settings and email alerts before triggering a build.
  5. We can configure the build to fail based on the security results. As an example, we can fail the build if the number of high security vulnerabilities is more than 5.

Configuration can be made as shown below.

Achieve DevSecOps in Microsoft Azure DevOps

In case the above conditions are met, Azure build fails and we get the appropriate message in Azure console. Sample console message is as shown below.

Achieve DevSecOps in Microsoft Azure DevOps

6. You can reduce scan time by choosing a balance between speed and issue coverage. Optimized scans omit tests defined in the Test policy for less severe or less likely vulnerabilities based on ongoing statistical analyses. Read more about test optimization here.

7. The option to download scan reportin JSON and PDF formats. PDF report can be generated only if Application ID (the optional field) is selected during the pipeline task configuration from pipeline logs post successful scan execution.

8. The Build Summary infodisplays the issue count based on severity once the scan completes successfully.

Achieve DevSecOps in Microsoft Azure DevOps

Integration with other Defect Tracking Systems 

If Application ID (the optional field) is selected during the pipeline task configuration, the security issues can be viewed under the specified application in the AppScan Enterprise Interface.. AppScan Issue Management Gatewayservice to migrate Issues from the AppScan Enterprise to issue management applications like Jira, Azure and Rational Team Concert.

 

 

 

Comment wrap

Start a Conversation with Us

We’re here to help you find the right solutions and support you in achieving your business goals.

  |  December 20, 2023
Secure Application Code Against Vulnerabilities Faster with HCL AppScan Fix Groups
Stop in for an update on how HCL AppScan helps find vulnerabilities and security risks, starting with built in AI that dramatically reduces the number of scan findings and practically eliminates false positives.
  |  December 5, 2023
HCLSoftware Named a Strong Performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023
HCLSoftware has been named a strong performer in The Forrester Wave™ - Static Application Security Testing, Q3 2023 Report. Read the blog to know more.
  |  August 2, 2023
Wider Application Security Coverage with HCL AppScan DAST and Vulnerable Third-Party Component Detection
HCL AppScan DAST (dynamic application security testing) is an industry-leading technology that scans your applications and APIs against potential vulnerabilities.