Last updated at Tue, 03 Aug 2021 13:28:37 GMT

DevSecOps is the concept and practice of integrating security into the DevOps cycle. The idea is to bring the different phases of security into the DevOps model and try to automate the entire process, so security is integrated directly into the initial application builds.

In this post, we’ll take a closer look at how to integrate security tools into the various phases of the DevSecOps cycle. We’ll focus here on Rapid7 tools like InsightVM, InsightAppSec, and InsightOps; the same principles apply to integrating other open-source security tools into the process.

In this simple, three-step setup, we’ll use Gitlab as the Version Control System and Jenkins as the build automation server. (Before getting started, you’ll need to have the integration between Gitlab and Jenkins completed.)

We’ll be using a simple declarative script in our pipeline, as follows:

pipeline {
    agent any
 
    stages {
        stage("build") {
            steps {
                echo "This is a build step"
            }
        }
        stage("test") {
            steps {
                echo "This is a test step"
            }
        }
        stage("release") {
            steps {
                    echo "This is an integration step"
                    sh "exit 1"

Step 1: Integrate InsightAppSec

First, we’ll include the InsightAppSec Scan in the pipeline. Ideally, this would be in the DAST stage.

To get started, we’ll install the InsightAppSec Plugin. We’ll need a few more details on hand, like the Scan Configuration ID and the InsightAPI key, which you can fetch from the InsightAppSec platform. We can then set up the scan on the InsightAppSec platform or use the InsightAppSec APIs to create a scan. Once we have the required details, we can kick-start the scan in our pipeline.

Here, we’ve used python script to add an app and create a scan configuration on the InsightAppSec platform.

Text

Description automatically generated

Now, with the App Name and Scan Configuration ID, we can set up the scan in the pipeline with the following code:

stage(“dast-InsightAppSec”) {
steps {
catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE')
{
insightAppSec region: 'US', insightCredentialsId: 'Insightappsec-api', scanConfigId: '9d31d36a-f590-4129-aba3-9212fe67fa8e', buildAdvanceIndicator: 'SCAN_COMPLETED', vulnerabilityQuery: 'vulnerability. severity=\'HIGH\'', maxScanPendingDuration: '0d 0h 10m', maxScanExecutionDuration: '0d 1h 0m', appId: 'HackMe', enableScanResults: true
}
}
}

We’ve replaced the “scanConfigId” and “appId” details ― we just need to replace the “insightCredentialsId” with the InsightAppSec API key. Setting the “enableScanResults” option to “true” will show results of the scan as a new option on the Jenkins Build page, with the label InsightAppSec Scan Results.

Step 2: Integrate the InsightVM Container Scanner

Next, we’ll integrate the InsightVM Container Scanner in the pipeline. In this step, we’ll build our Docker Image and scan it using InsightVM Container Scanner before pushing it into our registry to host apps in our staging or production environment.

To get started, we first have to install the InsightVM Container Scanner plugin on our Jenkins Server.

We’ll be building our Docker container using a Dockerfile, which we have to add to our Gitlab repository. After building the Docker container, we’ll scan it using the InsightVM Scanner.

We can set up the InsightVM Scanner in our pipeline with the following code:

stage("InsightVM Scan"){
            environment {
                dockerUrl = "https://registry.hub.docker.com"
                dockerCreds = "registry-auth" 
            }
            steps {
                script {
                    catchError(buildResult: 'SUCCESS', stageResult: 'UNSTABLE') {
                        dockerImage = docker.build('user/repo:$BUILD_NUMBER')
		echo "Built image ${dockerImage.id}"
		assessContainerImage failOnPluginError: true,
           	                	imageId: "${dockerImage.id}",
           		            		thresholdRules: [
                                    

The results of the pipeline should appear as a new option on the build page, with the label Rapid7 Assessment. Alternatively, the results are also available on the Builds tab of the Containers option within the InsightVM platform.

Step 3: Integrate InsightOps

In the final step, we’ll integrate InsightOps, Rapid7’s log management solution, into the pipeline. This integration will forward all the logs to the InsightOps platform.

To get started, we have to install the Logstash plugin on our Jenkins server. Then, to set up InsightOps, we’ll have to configure a collection source on our InsightOps platform.

Simply log into the InsightOps platform, then click on Add Data > Select Webhook — you'll find this option under System data. Then, name the log set as Jenkins-Console and copy the URL for the log entries.

Graphical user interface, application

Description automatically generated

On the Jenkins Server, head to the Configuration page and scroll down to the Logstash option. Click on “Enable sending logs to an Indexer,” and select the Indexer type as Elastic Search. Finally, paste the log-entries URL that was copied from InsightVM. Remember to append the InsightAPI key to the URL.

Graphical user interface, text, application

Description automatically generated

To send the logs, we can either select the Enable Globally option or add the Logstash option to the pipeline, as shown in the following code:

Pipeline {
    agent any
    stages {
        stage(build) {
            steps {
                timestamps {
                      logstash { 
                       {…}
                      }     
                }
            }
        }
    }
}
                                    

After editing the pipeline, we can run the build again and look at the logs data on our InsightVM dashboard.

Graphical user interface, application, table, Teams

Description automatically generated

Lastly, we’ve embedded some other open-source tools to complete our DevSecOps pipeline. The final pipeline looks something like this:

Timeline

Description automatically generated

This three-step process is an intuitive way to integrate Rapid7 products into a DevSecOps pipeline, but it’s just one way to approach the task. Because our products support APIs, you can set up the integration according to your environment, so you have the flexibility to build the DevSecOps pipeline you need.

NEVER MISS A BLOG

Get the latest stories, expertise, and news about security today.