We are witnessing organizations moving to cloud computing and the cloud platform continues to grow year on year. With this transition, there is always concern about Application Security, even though physical and infrastructure security may be taken care of by cloud providers. Application Security is something that we need to take care of, even in the cloud space
Azure DevOps is one such platform that provides developer services to support teams to plan work, collaborate on code development, and build and deploy applications. Developers can work in the cloud using Azure DevOps Services or on-premises using Azure DevOps Server. Azure DevOps Server was formerly named Visual Studio Team Foundation Server (TFS). The documentation can be found here.
AST in Azure DevOps
Can we add Security to Azure DevOps and make it “DevSecOps”, where security is integrated into the CI/CD pipeline and promotes a Shift-Left strategy? The short answer is “Yes.”
As you are aware, HCL Appscan on Cloud (ASoC) is a one-stop solution for all the AST functions that you need to perform: SAST, DAST, MAST, IAST and OSS.
This solution can be integrated well into the DevOps cycle with the most popular Azure DevOps in the form of extensions, which can be availed for free. That’s an added bonus.
The integration empowers developers and security analysts to find and fix vulnerabilities. So what are the features of this extension? Does it fit my pipeline requirements? Can I see the reports? How easy is it to configure? The answer to the configuration question is “YES,” so let’s take a deeper dive into that topic now.
Installation, configuration and operation of HCL AppScan Extension
Installation and Setup of HCL AppScan is very easy. You can download the extension from the Azure DevOps marketplace, and it is free.
Once the extension is installed, it needs to be configured with ASoC credentials with the KeyID and KeySecret using the Service Connection in Azure DevOps.
The HCL AppScan extension is now ready to be incorporated with your project’s CI/CD pipeline.
You can perform SAST/DAST/MAST/OSS scanning by adding the Run HCL Appscan Security script into your project pipeline.
Here’s an example:
Refer to this link for additional installation details.
Some important features that use the HCL AppScan extension are:
- Enablement and configuration of settings, such as the type of testing to be performed, email alerts and fail build conditions before triggering a build.
- A view of the build’s progress in the console.
3. A summary view of the issues once the scan is completed.
4. A download the Scan report for consumption.
Advantages of the HCL AppScan Extension
- It enables organizations to expand from “DevOps” to “DevSecOps,” by catering to their AST needs, ultimately resulting in delivery of more secure software.
- Developer empowerment to perform checks for security vulnerabilities as developers are coding, without the need to move back and forth from ASoC to Azure DevOps.
- Empowerment of security analysts and other key stakeholders to perform scans and download reports for consumption.
By using the HCL AppScan Extension on Azure DevOps, your organization is empowered to perform all types of scanning without the need to juggle between different tools. You can benefit from the Machine Learning capabilities of Appscan like Intelligent Finding Analytics (IFA) and Intelligent Code Analytics (ICA), which provide results that are based on actionable issues and Fix groups.
To learn more about the impact of IFA and ICA on SAST scan results for AppScan on Cloud, click here.
Finally, HCL AppScan’s reports are vast and detailed, and they can be consumed by multiple stakeholders, such as developers and security analysts.
To Learn More
Click here to begin your free 30-day trial of HCL AppScan on Cloud and test-drive AppSec on your own.