Automation Domination: ThreadFix and Jenkins Integration

FacebookLinkedInTwitter

threadfix

Brandon Spruth is a long-time ThreadFix contributor and he recently completed a Jenkins plugin for ThreadFix that he’ll be unveiling at the OWASP Chicago Suburbs meeting on June 25th 2014 at 6pm.

This is really exciting because:

  • I love seeing the application security process automated as much as possible. Software security folks are outnumbered – by developers, by applications, by you-name-it – and to be effective, us software security folks have to take as much of the straightforward stuff off our plates as possible so we can focus on the really hard stuff.
  • I love seeing security better integrated into the development process, and a huge part of achieving this is building security directly into the tools that us developers are already using. In fact, that’s exactly why ThreadFix was built with defect tracker integrations and IDE plugins because this integrates security tasks directly into the developer’s regular workflow.  The ThreadFix Jenkins plugin makes it easier than ever to get security into the continuous integration process.

Here’s a sneak preview of how it works:

GlobalConfigUnfuzzed

The Global Configuration lets you set up where the ThreadFix command-line client JAR, the ThreadFix server URL, and the ThreadFix API keys are located.

ProjectConfig

The Project Configuration then lets you link your Jenkins project with a ThreadFix application and indicate the artifacts you’d like to upload.  As a result, any security testing analysis you do during your Jenkins build (i.e. static analysis, dynamic analysis, vulnerable component checking) can then automatically be shipped off to your ThreadFix server. To quote Ina Garten, television’s Barefoot Contessa, “how easy is that?”

Once the final Jenkins plugin is released, we’ll update this post and the ThreadFix wiki with more information on how to do the downloading, the installation and how to best use the ThreadFix Jenkins plugin.

[Update: Here is the plugin page and here is the GitHub repository with the source code.]

So many thanks to Brandon! This is great stuff and the ThreadFix community really benefits from your fierce determination to achieve “Automation Domination.”  If you’re in the Chicago area, please head over to the OWASP meeting on June 25th.  You can also see some of the other work Brandon has done automating the integration of security and development tools here at his AppSecUSA 2013 talk titled “Automation Domination.” (download the slides from his talk here)  Thanks again, Brandon!  Here’s to more automating of the application security process!  We will get there some day.

About Dan Cornell

Dan Cornell has over fifteen years of experience architecting and developing web-based software systems. He leads Denim Group's security research team in investigating the application of secure coding and development techniques to improve web-based software development methodologies. Dan was the founding coordinator and chairman for the Java Users Group of San Antonio (JUGSA) and currently serves as the OWASP San Antonio chapter leader. Dan has speaks at such international conferences as RSA, ROOTs in Norway and OWASP AppSec EU.

One Response to "Automation Domination: ThreadFix and Jenkins Integration"

Leave a reply