• Contact us
    Search

    Automatic security testing pipeline with Jira, Jenkins and Zed Attack Proxy

    Written by:
    Visa Parviainen

    In this video tutorial, we combine Jenkins and Zed Attack Proxy to Atlassian Jira.

     
    In this video tutorial, we combine Jenkins and Zed Attack Proxy to Atlassian Jira. This way we can use Jira as a security defect tracker, without having to manually input information on security detections.
     

    Here is the tutorial also in real words:

    The tutorial uses Vagrant and Virtualbox and assumes the host machine is running Linux. You should be able to do this with an OSX too.

    # Installing the prerequisites

    sudo apt-get install virtualbox vagrant virtualbox-dkms git vim ansible

    # Clone git repository with virtual machine definitions here
    git clone https://github.com/Eficode/jira-jenki...

    # Starting the virtual environments (both Jira and Jenkins)
    vagrant up

    # To stop both of the systems (add name jira or jenkins to target only one)

    vagrant halt

    # Force-running provisioning again, in case of failure
    vagrant up --provision jenkins

    # Default IP addresses, changeable in Vagrantfile
    Jira: http://localhost:8081
    Jira IP: http://192.168.5.100:8080
    Jenkins: http://localhost:9090

    # Open connection to Jenkins machine (to get the password)
    vagrant ssh jenkins
    sudo cat /var/lib/jenkins/secrets/initialAdminPassword

    # ZAP installation package path for custom tools plugin
    https://github.com/zaproxy/zaproxy/re...

    # Zap directory name for custom tools plugin
    ZAP_2.4.3

    # Demo application git repository (for Jenkins version control step)
    https://github.com/Eficode/security_t...

    # First build step
    ./start.sh

    # Before the following build step, add ZAProxy plugin here.
    # Then run the two following steps

    kill `cat server.pid`

    rm server.pid

    # To add Jira credential file to Zap workspace
    vagrant ssh jenkins

    # Change to Jenkins user to add Jenkins plugins and credential files
    sudo su - jenkins

    # add Jira Issue Creator plugin to Zap

    cd ~/tools/com.cloudbees.jenkins.plugins.customtools.CustomTool/Zap/ZAP_2.4.3/plugins

    https://github.com/0xkasun/security-t...

    # Put cred.properties in Zap workspace (in ~./ZAP)
    wget https://raw.githubusercontent.com/Eficode/jira-jenkins/master/cred.properties

    Interested in data security? Eficode and Silverskin have published a security guide, download it for free here. You are welcome!