The Engineer of What?

A bi-weekly discussion of all things related to a life of an engineer

Improving Website Security with Netsparker

Monday, April 15th, 2019 at 3:00 PM by Nathan Westfall automate tests server git npm devops builds automation security cloud netsparker

In today's world, if you aren't thinking about the security around your website or API, there's a problem. With how quickly the internet has grown and how technology is everywhere, it increases the chance of your website or API getting breached. With this growth, also comes new technology to help do security checks for you. You don't need to go out anymore and hire a security team or company to check every release. WIth technology like [netsparker](netsparker.com), you can manually run or even schedule security checks. This is great, but doesn't always cover everything and is now another process you have to consider.

I was given the chance recently to use [netsparker](netsparker.com) cloud and wanted to make it further work for me. I'm proud of the dev-ops pipeline where I work now and figured, "why not include netsparker?". This is a great idea! However, no tool was built at the time to successfully do this. Luckily as a software engineer, I can do something about it.

That's why I build the netsparkerscanrunner. I wanted to trigger a scan against my public facing API (development, QA, staging, and production) and see if I'm making the environment better, worse, or keeping it secure. I also know that other people in my company might want to use this tool and we don't all use the same build system. That's why I chose to build it with node and use the JUnit test output. This seemed like the most universal. To run it in your build process all you need to do is

npm install -g netsparker-scan-runner
netsparker-scan-runner -u MY_NETSPARKER_ID -t MY_API_TOKEN -p MY_TEST_PROFILE -s https://MY_ENVIRONMENT_URL -j results.xml

Then just upload results.xml as a JUnit file and you're done! It's that easy. Crazy right? No way. Here's how it works.

Here is an example of the output you might see in the console

2019-04-05T01:37:26.3608115Z Starting scan...
2019-04-05T01:37:26.8879679Z Scan triggered!
2019-04-05T01:37:27.0604678Z Scan running - 0/0 complete
2019-04-05T01:37:32.2251357Z Scan running - 0/0 complete
2019-04-05T01:37:37.3878272Z Scan running - 0/0 complete
2019-04-05T01:37:42.5585536Z Scan running - 0/0 complete
2019-04-05T01:37:47.7330133Z Scan running - 0/0 complete
2019-04-05T01:37:52.8977720Z Scan running - 0/0 complete
2019-04-05T01:37:58.0716098Z Scan running - 0/0 complete
2019-04-05T01:38:03.2414409Z Scan running - 0/0 complete
2019-04-05T01:38:08.4273151Z Scan estimated start time - 5
2019-04-05T01:38:13.5985996Z Scan estimated start time - 5
2019-04-05T01:38:18.7714179Z Scan running - 0/0 complete
2019-04-05T01:38:23.9343766Z Scan running - 0/0 complete
2019-04-05T01:38:29.0988487Z Scan running - 0/0 complete
2019-04-05T01:38:34.2556198Z Scan running - 0/0 complete
2019-04-05T01:38:39.4235132Z Scan running - 140/142 complete
2019-04-05T01:38:44.5983008Z Scan running - 140/142 complete
2019-04-05T01:38:49.7683913Z Scan running - 381/381 complete
2019-04-05T01:38:54.9360558Z Scan running - 381/381 complete
2019-04-05T01:39:00.1130823Z Scan running - 675/675 complete
2019-04-05T01:39:05.2727981Z Scan running - 675/675 complete
2019-04-05T01:39:10.4357841Z Scan running - 1381/1381 complete
2019-04-05T01:39:15.6018347Z Scan running - 1381/1381 complete
2019-04-05T01:39:20.7795993Z Scan complete!  Completed Steps - 1381
2019-04-05T01:39:20.9737958Z IssueUrl                                                                         Title                                                          Type                        Url                                      
2019-04-05T01:39:20.9738382Z ------------------------------------------------------------------------------------------------------------------------------------
2019-04-05T01:39:20.9738615Z ISSUE_URL                                           Forbidden Resource                                                        ForbiddenResource          URL
2019-04-05T01:39:20.9738801Z ISSUE_URL                                           Missing X-XSS-Protection Header                                MissingXssProtectionHeader  URL
2019-04-05T01:39:20.9738963Z ISSUE_UR                                            Expect-CT Not Enabled                                                  ExpectCtIsMissing           URL
2019-04-05T01:39:20.9739227Z ISSUE_URL                                           HTTP Strict Transport Security (HSTS) Policy Not Enabled       HstsNotEnabled             URL
2019-04-05T01:39:20.9742029Z ISSUE_URL                                           Insecure Transportation Security Protocol Supported (TLS 1.0)  TlsVersion1Support          URL
2019-04-05T01:39:20.9742190Z 
2019-04-05T01:39:20.9742445Z Generating jUnit report...
2019-04-05T01:39:20.9742582Z jUnit report generated
2019-04-05T01:39:20.9742720Z Netsparker Scan Runner Complete!

Netsparker Cloud has a wonderful API that you can use. This npm just does all the heavy lifting for you around this API and JUnit.

If a test doesn't pass with netsparker, those are presented in JUnit. Here is a example of these issues showing in Azure Devops.

netsparker-junit-results

Again, easy right?

Security should be apart of any application you code or create. In today's world, you simple can't ignore it. If you have any issues with this tool, please create an issue. I'd love to hear your feedback and suggestions!

If you want to hear myself and Ricky talk about security in applications, be sure to check-out episode #32

Article Comments