Achieve DevSecOps in Microsoft Azure DevOps Using HCL AppScan Enterprise

All web application projects use client-server architecture, with code being pushed to an online repository for ease of collaboration. This method also comes in handy to enable continuous integration and delivery (CI/CD) of our app and our server. Azure DevOps is one such platform that offers a complete package from building to deploying an application and managing our CI/CD pipeline. Ever thought how secure is our newly deployed application and is there a way to integrate security test into the CI/CD pipeline? The answer is Yes. Let us explore how to achieve this using HCL AppScan extension.

Installation and Configuration

The extension can be downloaded  freely from the Azure DevOps marketplace.

Once the extension is installed, it needs to be configured with AppScan Enterprise (ASE) credentials with theKeyID and using the Service Connection in Azure DevOps.

Enter the ASE Server URL (format of the URL is like https://<hostname>:<port>/ase) , provide the key and secret. Follow this link to generate keyId and Secret in the ASE

Pipeline Configuration

Create a new pipeline and add a task of type HCL AppScan Enterprise as shown below.

Enter the relevant details for the added task in the pipeline. We can get folder ID, Template ID, Test Policy ID and Application ID using the ASE REST APIs. The “Starting URL” field is the URL of the application to be security scanned. A sample of the same is as shown below.

Using YAML script

yaml script can be used for the scan configuration as shown below.

Example is shown below.

steps:

-task:HCLTechnologies.ApplicationSecurity-VSTS.custom-ase-task.HCLAppScan Enterprise@2

displayName: ‘Run HCL AppScan Enterprise Security Test’

inputs:

ServiceEndPointAse: ‘ASE_227’

jobName: ‘MyFirst_Azure_Scan’

folderId: 4

templateId: 7

testPolicyId: 8

startingURL: ‘https://demo.testfire.net’

loginMethod: None

optimization: Fastest

suspend: false

If yaml script is being used for your deployment, you can add the above step. If not, you can add the task like one mentioned in previous figure.

The HCL AppScan extension is now ready to be incorporated with your project’s CI/CD pipeline.

Main Features

1. We can scan the newly deployed websites or any other locally hosted sites or public sites and then add a security task so that it is security scanned.
2. The task can scan specific flows of the websites (newly deployed ones or locally hosted ones or public sites) using Activity Recorder. This small utility enables you to record traffic and actions from your website and upload those recordings to the AppScan Dynamic analysis tool of your choice – HCL AppScan Enterpriseor HCL AppScan Standard or  HCL AppScan On Cloud.The recorded files can be stored in “Azure Repos Git”, “GitHub”, “GitHub Enterprise Server” or “Bitbucket Cloud” and path of the recorded files can be specified in the pipeline configuration so as to use the same.
3. We can add multiple tasks of type HCL AppScan Enterprise, thereby able to scan many sites in a single pipeline. The security summary of issues of each of them would be displayed along with the security test report. This report contains scan issues along with Remediation for the issues reported.
4. Supports enablement and configuration of settings and email alerts before triggering a build.
5. We can configure the build to fail based on the security results. As an example, we can fail the build if the number of high security vulnerabilities is more than 5.

Configuration can be made as shown below.

In case the above conditions are met, Azure build fails and we get the appropriate message in Azure console. Sample console message is as shown below.

6. You can reduce scan time by choosing a balance between speed and issue coverage. Optimized scans omit tests defined in the Test policy for less severe or less likely vulnerabilities based on ongoing statistical analyses. Read more about test optimization here.

7. The option to download scan reportin JSON and PDF formats. PDF report can be generated only if Application ID (the optional field) is selected during the pipeline task configuration from pipeline logs post successful scan execution.

8. The Build Summary infodisplays the issue count based on severity once the scan completes successfully.

Integration with other Defect Tracking Systems 

If Application ID (the optional field) is selected during the pipeline task configuration, the security issues can be viewed under the specified application in the AppScan Enterprise Interface.. AppScan Issue Management Gatewayservice to migrate Issues from the AppScan Enterprise to issue management applications like Jira, Azure and Rational Team Concert.