<img height="1" width="1" style="display:none;" alt="" src="https://dc.ads.linkedin.com/collect/?pid=70416&amp;fmt=gif">

Sorry! Your browser is not supported on this site and it might be acting a bit wonky. Please use Firefox, Chrome or Edge instead

Automatic security testing pipeline with Jira, Jenkins and Zed Attack Proxy

Written by:
Visa Parviainen

In this video tutorial, we combine Jenkins and Zed Attack Proxy to Atlassian Jira.

 
In this video tutorial, we combine Jenkins and Zed Attack Proxy to Atlassian Jira. This way we can use Jira as a security defect tracker, without having to manually input information on security detections.
 

Here is the tutorial also in real words:

The tutorial uses Vagrant and Virtualbox and assumes the host machine is running Linux. You should be able to do this with an OSX too.

# Installing the prerequisites

sudo apt-get install virtualbox vagrant virtualbox-dkms git vim ansible

# Clone git repository with virtual machine definitions here
git clone https://github.com/Eficode/jira-jenki...

# Starting the virtual environments (both Jira and Jenkins)
vagrant up

# To stop both of the systems (add name jira or jenkins to target only one)

vagrant halt

# Force-running provisioning again, in case of failure
vagrant up --provision jenkins

# Default IP addresses, changeable in Vagrantfile
Jira: http://localhost:8081
Jira IP: http://192.168.5.100:8080
Jenkins: http://localhost:9090

# Open connection to Jenkins machine (to get the password)
vagrant ssh jenkins
sudo cat /var/lib/jenkins/secrets/initialAdminPassword

# ZAP installation package path for custom tools plugin
https://github.com/zaproxy/zaproxy/re...

# Zap directory name for custom tools plugin
ZAP_2.4.3

# Demo application git repository (for Jenkins version control step)
https://github.com/Eficode/security_t...

# First build step
./start.sh

# Before the following build step, add ZAProxy plugin here.
# Then run the two following steps

kill `cat server.pid`

rm server.pid

# To add Jira credential file to Zap workspace
vagrant ssh jenkins

# Change to Jenkins user to add Jenkins plugins and credential files
sudo su - jenkins

# add Jira Issue Creator plugin to Zap

cd ~/tools/com.cloudbees.jenkins.plugins.customtools.CustomTool/Zap/ZAP_2.4.3/plugins

https://github.com/0xkasun/security-t...

# Put cred.properties in Zap workspace (in ~./ZAP)
wget https://raw.githubusercontent.com/Eficode/jira-jenkins/master/cred.properties

Interested in data security? Eficode and Silverskin have published a security guide, download it for free here. You are welcome!