UrbanCode, together with AppScan on Cloud (ASoC), gives us the ability to automate control of our application security within our overall DevOps lifecycle, including automation, reporting, release and value stream management.
UrbanCode provides development supported integrations for both UrbanCode Deploy (UCD) and UrbanCode Velocity (UCV). This article will take you through an example of how to set up a pipeline, with UCD running the deployment and kicking off the ASoC security scans, and UCV processing the results.
UrbanCode Deploy Configuration
UCD has a free installable plugin, which can be downloaded and installed from the UrbanCode website: http://www.urbancode.com/plugin/application-security-on-cloud-asoc/
This plug-in includes steps to do each of the following on the AppScan server:
- Create ASoC Presence
- Delete ASoC Presence
- Start ASoC Presence
- Start Android Mobile Analyzer ASoC Scan
- Start Dynamic Analyzer ASoC Scan
- Start Static Analyzer ASoC Scan
- Start iOS Analyzer ASoC Scan
- Stop ASoC Presence
In this scenario, I will set up a workflow to simultaneously kick off static and dynamic scans with ASoC. The following instructions and screenshots will explain how to configure the UCD processes and consume the ASoC results with UCV.
Each UCD plugin step must be configured with the ASoC Application ID, Key ID, and Key Secret.
The static analyzer step also requires an IRX file, which points to either the IRX file to be uploaded for scanning, or the directory that contains the files or other locations to scan. The field accepts scan configuration files, eclipse workspaces, as well as .jar, .war, and .ear file types. In addition to the Application ID, Key ID, and Key Secret, the dynamic analyzer step requires the URL for the location to scan. If the page requires a login, the application login credentials must also be provided.
Notice that each step contains a field for ‘Fail condition threshold’, with the letters H, M, L, I. These indicate how many High, Medium, Low, and Information level security threats the step will accept before failing. For example, in the following case, if the scan results in more than 5 medium level warnings, the step will fail.
Also take note of the gray circles within the UCD process editor after each of the ASoC steps. This is important for allowing the process to move on, even if the steps fail, in order to handle the failure case. If necessary, conditional logic can also be added to fail the overall process using the UCD process editor.
Once our steps are configured, it is time to run the deployment of our application and our security scans. The UCD application process for doing so will look something similar this; first deploying the application to the target, and then running the scans.
I have circled the steps showing the two scans that are running simultaneously. If we jump over to the ASoC server, we can see these scans are running there as well.
UrbanCode Velocity Configuration
Note that there are two prerequisites that must be completed before we can pass these results to UCV.
- We must the two metric definitions for my static and dynamic scans. If this is not done, all ASoC results by default will be passed as a generic ‘ASoC Tests’ metric. For information on how to set custom metric definitions, see ‘Implementing custom metrics’ page at https://www.ibm.com/support/knowledgecenter/en/SSCKX6_1.3.x/com.ibm.uvelocity.tutorial.doc/topics/custMetrics_abstract.html
- We must create an integration to your ASoC server and capture the ID. This can be done on the Settings > Integrations page. The default ASoC Base URL is https://cloud.appscan.com.
In this example, I have defined two custom metrics, ‘asoc-static’ and ‘asoc-dynamic’. Using these metric definitions, the integration ID, and the scan ID (result property from the preceding ASoC steps) we can execute API calls to our UrbanCode Velocity server. These curls are called from the UCD process workflow shown in the section above. The content of the shell command is as follows:
Publish Static Results to UrbanCode Velocity:
curl -H “Content-Type: application/json” -X POST ${p:ucv-server-url}/reporting-consumer/pluginEndpoint/{ASOC_INTEGRATION_ID}/asocScan -d ‘{“scanId”:”${p:Start Static Analyzer ASoC Scan/ScanId}”,”metricDefinitionId”:”asoc-static”}’
Publish Dynamic Results to UrbanCode Velocity:
curl -H “Content-Type: application/json” -X POST ${p:ucv-server-url}/reporting-consumer/pluginEndpoint/{ASOC_INTEGRATION_ID}/asocScan -d ‘{“scanId”:”${p:Start Dynamic Analyzer ASoC Scan/ScanId}”,”metricDefinitionId”:”asoc-dynamic”}’
Once the results are passed to Velocity using the proper API command, the results will be immediately be displayed on the Insights view. The create an Insights view, first create a new dashboard. In this case I have called it “ASoC Applications”. Next, click on “Add charts”, and select your custom metric definitions created earlier. Now we can see the historical data for all of my static and my dynamic scans.
If we drill into one of these graphs by clicking the magnifying glass, we can see the results as a table.
Retaining this data in UCV gives us all of the benefits of the tool in relation to our application security, including quick insights, release management, reporting, and continuous automation capabilities.
#UrbanCodeVelocity#UrbanCodeBuild