Security is an essential aspect in today’s development life cycle. Unfortunately, application security has usually been an afterthought, but not anymore. By adopting the philosophy of DevSecOps you can automate these security tasks and ensure fast and safe code delivery. Security protocols that are part of the development process allow development teams to take advantage of agile practices without neglecting this essential piece of the software puzzle.

Acunetix is a leader in automatic web security testing technology allowing users to scan any web application for vulnerabilities like SQL injection, cross site scripting, and more. With Acunetix scans you can prevent potential attacks, manage web and network security and detect other issues in your websites and web APIs.

The FlexDeploy plugin (introduced in our 5.3 release) allows you to take advantage of Acunetix in your development life cycle by integrating Acunetix in FlexDeploy workflows using any of the three plugin operations. These operations include scheduling a scan, retrieving a scan’s results, and running a test scan.

Schedule Scan

This operation schedules an Acunetix scan to  run immediately or at the scheduled date and time. This operation uses the Id of the target that is scanned and the scanning profile Id as required inputs. Optionally you can specify the report template that will be generated by the scan along with the scheduled start time of the scan. This operation will return the generated scan’s Id as output.

Retrieve Scan

This operation will get the results of a specific scan. The user must provide the scan Id. This will return information about the scan such as the status, the count of vulnerabilities and their severity, and progress. The operation will also return the threat level of the scan. This represents the highest threat level found in the scan.

Run Test Scan

This operation will start an Acunetix scan, wait for the scan to complete, and returns the scan information. For inputs this will take a scanning profile Id, target Id and threat level. This threat level input indicates when the scan will fail. The operation will return the same information as the retrieve scan operation as well as the test scan result. If the threat level of the scan is higher or equal to the input threat level the scan result will be failed.

Acunetix Workflow in FlexDeploy

Here is a workflow which takes advantage of Acunetix by using the run test scan plugin operation. You can see we added this along with an if statement that checks the scan results that are returned in the operation’s output and raises a fault depending on the results.

.

We can now execute this utility workflow in our pipeline before deploying to an environment. This will run a scan on the specified target in Acunetix and fail the pipeline step if the scan finds a high threat vulnerability.

This is a simple way to integrate Acunetix with your automated Continuous Integration and Continuous Delivery cycle in FlexDeploy. With this you will be able to identify vulnerabilities earlier and before your they reach your production environment.

Keith Ecker

I am a software developer at Flexagon working extensively in creating REST APIs for many of FlexDeploy's features. I have also spent time creating plugins to integrate third party software with FlexDeply such as Ansible and Apigee

More posts by Keith Ecker
  

Leave a Reply

Your email address will not be published. Required fields are marked *