Automate Your Secure Dev Pipeline with Cloudbees Jenkins and NowSecure
Posted by Brian Reed NowSecure Marketing
In the quest to speed development of secure mobile apps, many of our customers plug automated appsec testing directly into their CI/CD toolchain. NowSecure embraces the fundamental principles of secure DevOps — leverage automation, integration, and speed to reduce friction and drive continuous improvement.
Because mobile app development is fundamentally different than web app development, it requires tools purpose-built for mobile that can accurately test the behavior of a mobile app under attack. As such, we’ve uniquely pioneered an automated mobile appsec testing engine that can fully exercise an app during the build process, in just minutes, and auto-generate results downstream.
Let’s examine how NowSecure AUTO integrates directly into the CloudBees Jenkins and ticketing systems, such as Jira, to deliver fast, closed-loop dev cycles for building and deploying secure mobile apps.
Secure Mobile Dev Pipeline with Jenkins, NowSecure and Jira
There are multiple ways to integrate security into the dev lifecycle, including SCA, IDE code advisor plug-ins, source code scanning tools, and build testing tools. Each carries tradeoffs in functionality, coverage, and friction. NowSecure AUTO uses a two-part approach to leverage existing workflows and maximize speed for security built in:
- Test the compiled mobile app binary for data at rest, data in motion, and code functionality to ensure complete app coverage with highly accurate results– rather than fragmented scanning of source code and OSS
- Integrate mobile app security testing within the CI/CD where tests are initiated by Jenkins, immediately post-build, with issues auto-fed into ticketing systems like Jira — requiring no manual intervention from security or development.
As shown in the graphic above, NowSecure AUTO plugs into Jenkins post-build and runs security tests in parallel or serially with unit testing, functional testing, and UX testing solutions. A complete test run for NowSecure takes less than 15 minutes. NowSecure AUTO can automatically test every Jenkins build and feed tickets into the cycle for developers to resolve. Unlike other security testing approaches, this plug-into-Jenkins-to-test-the-build approach carries zero impact on the dev workflow because there are no new IDE plug-ins to learn, no static source code testing false positives to chase down, and no release delays caused by security bugs found late in the testing cycle.
As shown in the two screenshots below, once the build completes, Jenkins automatically launches the NowSecure AUTO mobile app security test run and automatically generates tickets in Jira. No human intervention is required.
Full Security Testing Coverage
Under the hood, NowSecure AUTO uses an automated triple pass approach of static + dynamic + behavioral testing to ensure full security testing coverage with a high degree of accuracy for near zero false positives. NowSecure automatically pinpoints the security issues developers and security analysts want to prevent, such as:
- Sensitive data leakage over the air, in log files or system files
- Improper/inconsistent input validation
- Weak/improper encryption
- Vulnerabilities to man-in-the-middle attacks or remote code execution
- And more…
NowSecure cuts through the noise and automatically delivers accurate, validated test results with straightforward issue descriptions, detailed remediation instructions and all relevant artifacts to speed resolution (for devs) and industry-standard CVSS scores, risk and compliance info (for security analysts). While most devs will never look at the security reports because they will simply consume automatically-fed Jira tickets, the screenshot below shows the easy-to-use report interface that provides dev and security teams with deeper understanding.
NowSecure AUTO provides a rich dashboard for a comprehensive view of all metrics, trendlines and critical areas to focus. As shown in the orange/red heatmap in the screenshot below, the highest impact security issues to focus on include allow data backups issues, unencrypted data over HTTP and keysize issues, plus one app runs as root and a slew of sensitive data issues.
Flexible Deployment and Configuration
NowSecure AUTO is available in cloud or on-premises and has numerous configurable options, including role-based access control (RBAC), test result filtering, CVSS score customization and more that enable organizations to tune to fit their needs. If a team only cares about critical/high risk issues to start, then push the others into the backlog. If the team is focused on protecting privacy of sensitive data or compliance with a certain regulation, then focus on those findings and issues. Organizations can use a risk-based approach to choose what fits best for each mobile app dev team, project and app scenario.
From an implementation perspective, some organizations will choose to plug NowSecure AUTO directly into Jenkins and Jira on Day 1 and just let it run. Typically the first few test runs are used to triage existing mobile apps, quickly identify issues, partner with dev to resolve them, and then move into regular process.
Other organizations may choose a phased approach as shown here mid page. Security and dev starts using NowSecure on-demand as needed to “burn in” the automated security testing process and review results/submit tickets, then integrates into Jenkins to test every build and review results/submit tickets, and finally integrates into Jira to automatically generate tickets, removing all human steps from the loop.
Powering Secure DevOps with Jenkins and NowSecure
If you are driving your CI/CD pipeline for speed, accuracy and continuous improvement, then the Jenkins + NowSecure + Jira trifecta offers the best path for delivering secure mobile apps. NowSecure delivers a high accuracy, high speed, low friction path that integrates directly with your dev toolchain so that you can focus on delivering the secure, innovative mobile app experience that your users demand.
NowSecure is pleased to be a Platinum sponsor and speaker at Cloudbees JenkinsWorld/DevOpsWorld September 16-19 in San Francisco. Click here to request a meeting at JenkinsWorld or an online demo any time.
