This blog post is part one of the ongoing series, Automation with InsightAppSec.

Rapid7 is excited to announce the release of a new extension to incorporate InsightAppSec, Rapid7’s web application security solution, within Azure DevOps Pipelines to provide organizations with essential information about a web application’s security posture as part of their software development lifecycle (SDLC). But before we get into the extension itself, let’s take a step back and look at the move toward continuous integration and continuous delivery (CI/CD) and the current trend of “shifting left” by incorporating application security solutions within the SDLC.

Security in all the right places

Today, more and more organizations are shifting toward the DevOps methodology within their SDLC, which has led to the increased adoption of CI/CD (the notion of continuous incorporation of code within a software development project, which allows for things like automated testing and quick subsequent releases). The result is swift improvements and innovation for applications in a market where companies seek to rapidly deliver new content to end users. This form of agile development as part of software development and delivery is growing across companies of all sizes and industries, as its benefits allow for immediate business impact.

One aspect of the CI/CD cycle that continues to evolve is the inclusion of web application security testing. Organizations have traditionally struggled to address security in their applications’ SDLC due to time constraints and the additional complexity it adds to development. However, to help alleviate that issue, many companies now include security testing within their CI/CD in an automated fashion, ultimately shifting security to the left in their SDLC.

It’s easy to see why. Identifying application vulnerabilities early on as part of the build/release cycle makes it easier for developers to address them and apply fixes. In addition, early identification will help ensure the application isn’t riddled with unknown vulnerabilities when it’s released to production.

Utilizing the SDLC to deliver impact

With security as part of CI/CD in mind, many organizations have started to use CI/CD tools such as Jenkins, Bamboo, and Azure DevOps to effectively automate the development and delivery of projects. The latter tool, Azure DevOps, is a platform that offers options for build and release pipelines, in which you can manage the actions that take place for your projects within those pipelines to further automate the process. This enables teams to maintain a rapid development cycle while incorporating custom actions as needed to produce a high-quality build.

By embedding security into the SDLC, security teams can find an effective and convenient way to meet business, security, and developer needs all at once. Instead of impacting a development team’s processes, embrace them!

New offering: InsightAppSec Azure DevOps extension

That’s where the Rapid7 InsightAppSec Azure DevOps extension comes in. This is a brand-new extension now available on the Visual Studio Marketplace designed to integrate InsightAppSec with Azure DevOps. The extension provides the ability to scan web applications as an integral part of build and release pipelines. In other words, organizations may utilize this extension as part of their CI/CD to automate their security testing and further combat vulnerabilities in their web applications. Rather than existing as an entirely separate process in the SDLC, security becomes embedded within the project’s core build/release pipeline.

The extension works by utilizing the Rapid7 InsightAppSec RESTful API to orchestrate functionality. With the API, it can retrieve InsightAppSec applications, launch scans, and perform scan monitoring, all as part of an Azure DevOps pipeline.

The extension offers several configuration options to allow for customization as needed within a build/release pipeline. Here’s a look at some of the features:

  • Scan monitoring: You can designate a frequency for the extension to retrieve and log the current status of the InsightAppSec scan. This allows you to see when the scan launches, completes, and everything in between.
  • Scan timeout: You can designate a maximum amount of time that the scan may run for, after which it is cancelled and the build/release failed. For example, you may say that your scan can only run for 120 minutes at most, and after that point, it will be considered cancelled and failed.
  • Scan gating: You can provide a query that, upon scan completion, will be executed against the scan results and update the status of the build/release accordingly. Here’s an example of a query:

vulnerability.severity='HIGH'

This query is stating that if there are any vulnerabilities in the application with a severity of HIGH, the build/release will fail in Azure DevOps. This allows organizations to determine which types of vulnerabilities they will use for gating pipelines and address the most serious vulnerabilities first in their development.

In addition, upon successful completion of a scan, the extension will automatically generate a metrics report. This is a JSON report that contains information about the types of vulnerabilities found in the application and their severities. Here’s a sample report:

{
   "metrics": {
     "severity": {
       "LOW": 5,
       "HIGH": 7,
       "MEDIUM": 1
   },
     "module": {
       "SQL Information Leakage": 2,
       "Cookie attributes": 3,
       "SQL Injection": 7,
       "SQL Parameter Check": 1
    }
  }
}

To better envision the role the InsightAppSec Azure DevOps extension plays, let’s take a look at a scenario where it’s included within an organization’s SDLC:

InsightAppSec-Azure-DevOps-Blog-Post-graphic

  1. Code Changes: Developers make code changes within a project and push them to the project’s central repository.
  2. Build Code: The updated code is built within the project.
  3. Test Code: Any automated tests are executed to further confirm correct functionality within both existing and newly added features.
  4. Release: The application is released or deployed to its designated environment.
  5. InsightAppSec: Security scanning takes place for the application via the extension in Azure DevOps communicating with InsightAppSec.

This demonstrates how the Azure DevOps extension can be added seamlessly as part of an organization’s existing workflow to address the matter of security as a standard part of the development cycle.

Get started today

Leveraging the Rapid7 InsightAppSec extension as part of an Azure DevOps build/release pipeline can provide organizations with critical information regarding their web application’s security posture. Usage of the extension facilitates the automation of security testing in accordance with CI/CD—a method that continues to grow more common in the world of development. This enables teams to maintain a rapid cycle of development while also ensuring security is not overlooked in the process. The result is an SDLC that fluently incorporates security testing, leading to vulnerabilities being addressed more thoroughly and thus producing a more robust application.

The Rapid7 InsightAppSec AzureDevOps extension is currently available on the Visual Studio Marketplace for free and can be downloaded there for installation and usage within an Azure DevOps organization. The extension itself is also fully open source, and the project is available on GitHub for those who would like to make contributions or review the source code.

Not an InsightAppSec customer? Start a free 30-day trial today.

Get Started