SBN

How to Integrate Netsparker Into Your Existing SDLC

What is the Software Development Lifecycle?

The software industry has refined the Software Development Life Cycle process over many years. It is the process that software developers use to design, develop and test resilient, quality software that meets the requirements of potential customers or specific commissioning clients. It must also meet stated budgets and deadlines.

Normally, software development passes through these key stages, beginning with Planning.

  1. The Planning stage begins with gathering requirements from potential purchasers, industry experts and existing research, and the organisation’s own sales team. Collated information helps determine whether a project is financially and technically viable.
  2. The Defining stage involves getting clarity on the product requirements and documenting them, often by way of a Software Requirement Specification (SRS), which is then approved by the customer or by the Business Analysts in the organisation.
  3. The Designing stage is based on the SRS, which product architects use to construct a Design Document Specification (DDS) that may include various potential design approaches, including architecture, data flow and 3rd party integrations.
  4. The Building stage is when development begins. Developers follow the DDS and generate code according to their organization’s coding guidelines document.
  5. The Testing stage can happen during all other previous stages and includes reporting of defects, which are fixed until the product reaches the required standard.
  6. The Deployment stage is when the product is released into the relevant market, or directly to the customer. Sometimes, this can be divided into further stages, released in a limited way first and tested, then released again following further fixes.

How Does Netsparker Integrate with Your Existing SDLC?

We developed the TeamCity and Jenkins plugins to help you complete the Netsparker Cloud-assisted SDLC. Using our plugins, users with Administration permissions can now initiate test scans, which are run using the Netsparker Cloud API in the continuous integration build.

For further information on installing and configuring the plugins, see:

  • Netsparker TeamCity Plugin and Installation
  • Netsparker Jenkins Plugin and Installation

Continuous Integration Information

Normally, integrating Netsparker Cloud plugins into your environment is sufficient to establish a Netsparker Cloud-assisted SDLC. However, in some cases some additional configuration is necessary to to take advantage of all the benefits (see Configuring User Mappings).

Continuous Integration (CI) is standard practice in the SDLC, where developers working in a team commit their code changes to a shared repository, meaning lots of integrations each day. Finding inevitable errors rapidly is key, to avoid breaking something else and to help the SDLC to progress quickly, so each one is automatically verified by a build that includes a test.

When the scan is initiated from the continuous integration(CI) build via the Netsparker Cloud’s new TeamCity and Jenkins plugins, you can access the CI build details as described in the following sections.

Viewing Continuous Integration Information in Netsparker’s Status Window

You can access CI information from Netsparker Cloud scan’s Status window.

How To View CI Build Information in the Status Window
  1. Log in to Netsparker Cloud. From the Scans menu, click Recent Scans. The Recent Scans window is displayed. (If scans have been initiated by the CI server, the Website column displays a CI server icon.)

  1. For the relevant ongoing or queued scan, click Status. The Status window is displayed. From the Executive Summary panel, the Status field shows a green bar that displays the scan’s current Status.

  1. In the Continuous Integration Details section, you can view build information.
  1. In the Build ID field, click the Build ID link.
    1. In TeamCity:
      1. The continuous integration server opens at the Build Log.

    1. In Jenkins:
      1. The Console Output window opens

  1. In the Commit/Changeset field, click the Commit/Changeset link.
    1. In TeamCity:
      1. The continuous integration server opens at the Changes tab.

    1. In Jenkins:
      1. The continuous integration server opens at the Changes window.

  1. Click the Netsparker Scan Result to view the scan result. The Netsparker Cloud Executive Summary Report is displayed.
    1. In TeamCity:

    1. In Jenkins:

Accessing Continuous Integration Details in the Scan Report

You can access CI details in the scan’s Report window.

How to View Continuous Integration Details in the Scan Report
  1. Log in to Netsparker Cloud. From the Scans menu, click Recent Scans. The Recent Scans window is displayed.

  1. For the relevant completed scan, click Report. The Report window is displayed.

  1. From the Scan Summary tab, in the Continuous Integration Details section, you can view build information.
  2. In the Build ID field, click the Build ID. The TeamCity application opens at the Build Log tab.
  3. Click Commit/Changeset. The TeamCity application opens at the Changes tab.
  4. Click the Netsparker Scan Result tab to view the scan result. If the scan is queued or ongoing, the following message is displayed: ‘The scan report is not available yet because the scan is not finished. Please try again later.’.

Viewing Continuous Integration Details in the Issues Window

You can access CI information from Netsparker Cloud’s Issues window.

How to View CI Build Information in the Issues Window
  1. Log in to Netsparker Cloud. From the Issues menu, click All Issues. The Issues window is displayed.

  1. Click the Title of the relevant issue. The Issue window is displayed.

Configuring User Mappings

If your username in either the TeamCity or Jenkins integration systems is not the same as your Netsparker username, you can configure our User Mappings functionality to match them. You can add as many user mappings as you want. Users with Administrator permissions will be able to manage all other members’ username configurations.

User Mappings must be unique. If you attempt to add a user mapping which has the same Integration system and Integration User as an existing mapping, the following error message is displayed.

You can add, edit or delete User Mappings.

How To Configure a New User Mapping
  1. Log in to Netsparker Cloud. From the Integrations menu, click User Mappings.

  1. The User Mappings window is displayed.

  1. Click New User Mapping. The User Mapping window is displayed.

  1. From the Integration System field, select the relevant system.
  2. In the Integration User field, enter the relevant username used in TeamCity or Jenkins.
  3. From the Netsparker Cloud User dropdown, click the relevant username.
  4. Click Save.

Disabling the Assigning of Issues in Netsparker to the Code Committer 

By default, if scans are configured to be triggered by a version control system change (such as a git commit), Netsparker Cloud will assign the detected Issues to the committer.  

Disabling this behaviour means that Netsparker Cloud will assign the detected Issues to the website’s Technical Contact regardless of whether Netsparker Cloud is able to identify the committer.

To disable this default behaviour, ask your Netsparker Administrator.

How to Disable the Assigning of Issues in Netsparker to the Code Committer
  1. Log in to Netsparker Cloud. From the Your Account menu, click Account Settings. The Change Account Settings window is displayed.

  1. In the Account-wide Options section, check the Disable assigning issues to the committer option.
  2. Click Update.

*** This is a Security Bloggers Network syndicated blog from Netsparker, Web Application Security Scanner authored by Duran Serkan Kilic. Read the original post at: http://feedproxy.google.com/~r/netsparker/~3/xPiycABmj8I/