Security Analysis with Bamboo Plugin


RIPS Bamboo Integration

Bamboo is a widely used software that enables continuous integration, deployment, and delivery of software applications. It is developed by the Australian company Atlassian that is also well known for their products JIRA and BitBucket. This blog post introduces our Bamboo integration and how it can be used to continuously analyze your PHP application with RIPS. By automatically detecting and warning about security issues, your production server can be protected from new vulnerabilities.

Build Management with Bamboo

In the process of continuous integration, a code repository is automatically built and tested by a CI service when code is pushed or committed to the repository. This enables automated testing, tracking, and reporting of build errors and boosts the productivity of development teams that can focus on coding.

Atlassian’s CI tool Bamboo is highly customizeable and can be tailored to your organizations exact needs. The Bamboo marketplace offers over 200 plugins that add new notification channels like Slack, implement extensive Docker functionalities, or offer cloud deployments.

A typical (although simplified) Bamboo build project consists of the following tasks:

  • Source code checkout: Get the source code for the application that should be build, tested, or deployed. Bamboo supports various source code management systems like Git, Subversion, Mercurial, and many more.
  • Install dependencies
  • Run tests
  • Build application

If one of these tasks fails, the whole build fails. This can be a compilation error, a missing dependency, or a failed test case. The result of the build can be used to determine if a new feature of the application should be merged or if it needs more work. A successful build can be chained with deploy projects that automatically deploy the new application build to a testing or even production environment. Automated security analysis is an essential part of such a process in order to be able to fix security issues at the lowest cost point and to ensure a solid baseline of your application’s security.

RIPS as a Security Gate

As a solution, RIPS’ security analysis can be integrated into Bamboo that then acts as a security gate for your production environment and code management system. Our plugin adds a new task that can be placed anywhere in your build, test, or deploy pipeline (see Figure 1). It scans the application’s source code in your RIPS installation or RIPS SaaS account for security vulnerabilities within minutes and fails the build when new security vulnerabilities are detected.

Figure 1: A RIPS scan task in the build, test, or deploy pipeline.

The task can be set-up to fail on threshold crossings of new, critial, high, medium, or low severity-level issues (see Figure 2). These failures are then added as failed tests to the build result of Bamboo. In addition, you can decide to only store the threshold crossings as test failures or all detected issues of the failed category or security-level.

Figure 2: Threshold settings of the RIPS scan task.

The results of an example project (DVWA) are depicted in the following figures. Figure 3 and 4 show a summary of the failed tests that were created with RIPS. It clearly blocks the critical security issues from reaching the production server by failing the build process.

Figure 3: Simple Bamboo test result summary.

Figure 4: List of failed tests from the RIPS analysis.

In order to mitigate the detected security issues, the results can be expanded to get more details on the specific issue at hand. Further, our plugin adds a new tab to the build results that shows an overview of the scan (see Figure 5). If more information is required for a certain vulnerability it can be easily opened in our user interface.

BitBucket & JIRA

Due to the tight integration of the various Atlassian products there are a lot of possible use-cases for further integrations. As an example, BitBucket displays the result (failure or success) of Bamboo builds on branches and pull requests (see Figure 6).

In addition, it is possible to create JIRA tickets directly from the Bamboo test results (see Figure 7 and 8). This drastically simplifies the process of reviewing and assigning vulnerabilities to certain developers or security experts. Your threshold configuration ensures that only relevant issues are reported to developers for review so that your team is only distracted from coding when it really matters.

Figure 8: Failed Bamboo test case linked in a JIRA ticket.

Summary

Manual security analysis is a difficult and time-consuming process that only captures a small snapshot of an applications’ security. With more and more developers working on ever-changing source code it is impossible to keep track of the security. Thus it is critical to automate the security analysis and integrate it directly into the development process in order to train your developers from the start and to deliver secure products for you and your customers. The RIPS Bamboo plugin helps with this process significantly and offers a simple way to combine Bamboo with our in-depth security analysis.

You are not using Bamboo? Check out our integration plugins for Jenkins or SonarQube.

Tags: martin bednorz, ci, continuous integration, sdlc, bamboo, bitbucket, jira,

Author: Martin Bednorz

CTO, Co-Founder

Martin has 7 years of working experience as a lead web application developer. He graduated in IT security at the Ruhr-University Bochum and is conducting research on state-of-the-art code analysis and web technologies. His security background is supplemented by practical development and project management expertise.

Comments

comments powered by Disqus