In today's world, if you aren't thinking about the security around your website or API, there's a problem. With how quickly the internet has grown and how technology is everywhere, it increases the chance of your website or API getting breached. With this growth, also comes new technology to help do security checks for you. You don't need to go out anymore and hire a security team or company to check every release. WIth technology like [netsparker](netsparker.com), you can manually run or even schedule security checks. This is great, but doesn't always cover everything and is now another process you have to consider.
I was given the chance recently to use [netsparker](netsparker.com) cloud and wanted to make it further work for me. I'm proud of the dev-ops pipeline where I work now and figured, "why not include netsparker?". This is a great idea! However, no tool was built at the time to successfully do this. Luckily as a software engineer, I can do something about it.
That's why I build the netsparkerscanrunner. I wanted to trigger a scan against my public facing API (development, QA, staging, and production) and see if I'm making the environment better, worse, or keeping it secure. I also know that other people in my company might want to use this tool and we don't all use the same build system. That's why I chose to build it with
node and use the
JUnit test output. This seemed like the most universal. To run it in your build process all you need to do is
npm install -g netsparker-scan-runner netsparker-scan-runner -u MY_NETSPARKER_ID -t MY_API_TOKEN -p MY_TEST_PROFILE -s https://MY_ENVIRONMENT_URL -j results.xml
Then just upload
results.xml as a JUnit file and you're done! It's that easy. Crazy right? No way. Here's how it works.
Here is an example of the output you might see in the console
2019-04-05T01:37:26.3608115Z Starting scan... 2019-04-05T01:37:26.8879679Z Scan triggered! 2019-04-05T01:37:27.0604678Z Scan running - 0/0 complete 2019-04-05T01:37:32.2251357Z Scan running - 0/0 complete 2019-04-05T01:37:37.3878272Z Scan running - 0/0 complete 2019-04-05T01:37:42.5585536Z Scan running - 0/0 complete 2019-04-05T01:37:47.7330133Z Scan running - 0/0 complete 2019-04-05T01:37:52.8977720Z Scan running - 0/0 complete 2019-04-05T01:37:58.0716098Z Scan running - 0/0 complete 2019-04-05T01:38:03.2414409Z Scan running - 0/0 complete 2019-04-05T01:38:08.4273151Z Scan estimated start time - 5 2019-04-05T01:38:13.5985996Z Scan estimated start time - 5 2019-04-05T01:38:18.7714179Z Scan running - 0/0 complete 2019-04-05T01:38:23.9343766Z Scan running - 0/0 complete 2019-04-05T01:38:29.0988487Z Scan running - 0/0 complete 2019-04-05T01:38:34.2556198Z Scan running - 0/0 complete 2019-04-05T01:38:39.4235132Z Scan running - 140/142 complete 2019-04-05T01:38:44.5983008Z Scan running - 140/142 complete 2019-04-05T01:38:49.7683913Z Scan running - 381/381 complete 2019-04-05T01:38:54.9360558Z Scan running - 381/381 complete 2019-04-05T01:39:00.1130823Z Scan running - 675/675 complete 2019-04-05T01:39:05.2727981Z Scan running - 675/675 complete 2019-04-05T01:39:10.4357841Z Scan running - 1381/1381 complete 2019-04-05T01:39:15.6018347Z Scan running - 1381/1381 complete 2019-04-05T01:39:20.7795993Z Scan complete! Completed Steps - 1381 2019-04-05T01:39:20.9737958Z IssueUrl Title Type Url 2019-04-05T01:39:20.9738382Z ------------------------------------------------------------------------------------------------------------------------------------ 2019-04-05T01:39:20.9738615Z ISSUE_URL Forbidden Resource ForbiddenResource URL 2019-04-05T01:39:20.9738801Z ISSUE_URL Missing X-XSS-Protection Header MissingXssProtectionHeader URL 2019-04-05T01:39:20.9738963Z ISSUE_UR Expect-CT Not Enabled ExpectCtIsMissing URL 2019-04-05T01:39:20.9739227Z ISSUE_URL HTTP Strict Transport Security (HSTS) Policy Not Enabled HstsNotEnabled URL 2019-04-05T01:39:20.9742029Z ISSUE_URL Insecure Transportation Security Protocol Supported (TLS 1.0) TlsVersion1Support URL 2019-04-05T01:39:20.9742190Z 2019-04-05T01:39:20.9742445Z Generating jUnit report... 2019-04-05T01:39:20.9742582Z jUnit report generated 2019-04-05T01:39:20.9742720Z Netsparker Scan Runner Complete!
Netsparker Cloud has a wonderful API that you can use. This npm just does all the heavy lifting for you around this API and JUnit.
If a test doesn't pass with netsparker, those are presented in JUnit. Here is a example of these issues showing in Azure Devops.
Again, easy right?
Security should be apart of any application you code or create. In today's world, you simple can't ignore it. If you have any issues with this tool, please create an issue. I'd love to hear your feedback and suggestions!
If you want to hear myself and Ricky talk about security in applications, be sure to check-out episode #32