Jenkins Demo: DAST

00:00

come to lessen 5.4. This is the exciting time again, we gotta take our Jenkins pipeline and add another stage to it. Specifically, we're gonna be do dynamic application testing with a with a Web app tool.

00:15

I'm just gonna demonstrate Jenkins and then explain what we're doing with the desk, Annie.

00:23

So, as usual here, is that the link to Jenkins? If you want to go to the website,

00:27

a swell as we're gonna be using a rack in it, which is? Ah, very function are very robust. Web scanner. We're gonna be using that to scan our web app.

00:37

Here we are, back in the Jenkins, and it's one of combat can refresh before we start looking at our adding the desk total. Just remember what we looked at or how are module ran the last time. So previously we did build. We did check style US

00:54

static analysis and then the cell for competition analysis on our tools. So now

00:59

the current pipeline will they go to number five here since the module Orian are very running, but I'll run it again just to kind of see so you can see Bill check style fast SDA. This is exactly from previous. Now would have added is to new stages, deployed a death and run the Web scanner.

01:18

Reason I'm adding that deployed to Dev is

01:21

I actually did this way back, but I took it out back at the beginning of the course. But I wanna take our Web application we've built. We run the static analysis and deployed to Tomcat and actually have it running because it need to be running somewhere in order for us to be able to do the Web scanning tool.

01:36

So take a look at the Jenkins file, what it looks like in this stage,

01:41

and you'll notice everything is the same. Here's Bill check style software are static analysis s E A. So this is where it becomes a little bit different.

01:51

So this is a deployment are deployed to our development environment. I've had a little bit complexity here

01:57

just to kind of show the functionality of Jenkins and what we can dio.

02:01

So this is, um,

02:02

it starts off with copying the war, file our application to the Tomcat folder,

02:07

and so what? But what I need to do is now test to make sure it's up because Tomcat takes a while to

02:15

extract a war filed all that. So I just kind of show adding just showing the kind of, if then kind of statement we can add into this. So

02:23

if you remember previously, I did a catch air up here because I knew this was gonna fail. And so what this does is it catches the air, it runs, and then that's it.

02:32

Uh, where we have a different a little more

02:36

granularity Here, we can use a try catch if you familiar with Java and seen at, uh

02:43

dot net. Sorry, B, you've seen this before. So what it says is, I want to try this Whatever's in the block, If anything fails, jump to this catch and then I could then perform some action on it, which which is very useful. So what I'm doing is I have a shell script I wrote, and I'll show you that while this told Bild is running, takes a while,

03:02

Um, it's checks to see if the Web server is up in the outside application service up in that app is running.

03:09

If it is, it just continues, and that

03:12

goes off to the next stage. If it doesn't genitals, it'll jump to the catch air here and say, I failed.

03:17

Now there's another Jenkins logic in putting called retry. So it'll run now, this little thes block of code up to three times if needed. And so it does the same thing. It sleeps for five seconds, hoping something will happen. Runs that same test script again and a run through here if it fails all four times

03:36

the whole pipeline of bomb, if not meet, moves on.

03:39

And so here's where we're running the their acne skinner.

03:44

This scanner. There's actually Module and Jenkins for this, which makes a lot easier. You could just give it some limited variables and it'll run. So I said, Iraqi run only run 100 pages just because I don't want to taking all night.

03:58

Um, here's the U. R L to hit,

04:00

and then here's some configuration files and I'm gonna output into a Jason file,

04:06

and the next thing I need to do again, I could have found a way different parts of parsing it. But I want to do show you some other ways we could do it. So I wrote a python program that will actually parse through that Iraqi file. And again, I'll show you that while the pipelines running just cause it takes a while to run.

04:25

So let me start this

04:27

and you'll see it'll start running here.

04:30

Um,

04:30

so the bill should run, run correctly, conceptual fronts pretty quick And what we can t it will run through this. But in the meantime, I'll show you those files, as I mentioned,

04:41

and it will come back here once this is done.

04:44

And while the builders running, I just get show you these, uh, couple

04:48

programs that I wrote just for this, just to see what they are.

04:53

So let's look at the

04:56

This is just a shell script that that I mentioned. All it's doing is just a little bit of curl magic. If you never seen Curl before, it's it's just a command line

05:03

Web client. So I said, Curl, give me this high the output. I want to have some special output. And so what it's gonna do is hit this website,

05:12

uh, you are looking for And what is gonna return is just the http code. So we should be expecting a 200.

05:19

Um So if it gets 200 returns, zero If it gets one, it returns. I'm sorry, but that's not 200. Then it returned an error. And if you remember the convention before the how

05:30

Jenkins can take the output

05:34

Oh, I'm sorry. The exit code and determine whether a command worked or not That that's all I'm doing to fix That s o. Then here is the Python script,

05:46

and this one is so rack near when it runs, it creates a zip file of with it with the Jason in it. And so that's what I'm just gonna parse, really? Is this a python program that's gonna parse through Jason? Create a text output and same type of thing. Give a good are a good exit code or bad exit code, depending on

06:05

whether some vulnerabilities were found.

06:09

This is including the study materials. You don't have to understand it completely. Um, began on this line I open up the zip file extracted to attempt folder.

06:18

Then right here I'm going to open that Jason file and turned into Jason within python.

06:26

And then the way this is set up is that there's a first level is called issues. And in the four loop, I'm just gonna run over each one of those issues in the array,

06:35

pull out the severity right here, and then just test is the severity critical is the severity high. And for any one of these, I want to increment the result

06:46

of I'm sorry, increment the number vulnerabilities I found for that specific category and it also print out. So all this is gonna show up in the console logs we concede at the end.

06:55

Um, And then at the end, just print out a final report saying, Here's how money I found of each one.

07:00

Delete all the files that temp files I had and then at the end, here again, if if there is critical vulnerabilities, high vulnerabilities, medium anything

07:10

print, I found vulnerabilities and exit.

07:12

If it's nothing was found, give a good exit code, which is zero, uh against some of this is mixing python and the Lennox file system. But when I kind of show you the availability of what we can use these tools.

07:26

So just kind of another question here for you, just kind of another topic to think about

07:31

is how can we eliminate false positives.

07:38

So false positive. This sense has a couple different meetings that I could think of. So one of them might be testing with multiple tools to find the best fit for your environment. So we want toe.

07:48

If you scan with one tool and you get a result, and then that's the only thing use. You don't have good verification. Otherwise, unless you're doing some time a manual test

07:59

verification of it. Whereas if you have to tools and they show different results, you could validate it that way.

08:05

One of the most important ideas is to review their the scam results before their submitted to the developers of the operations. You want to really make sure you have valid results.

08:16

The reason you're doing this is you really want to maintain your credibility If you just again take a scanner skin or run a scan and say, Here you go. Here's 1000 pages, and almost none of them are valid. You're gonna lose your credibility. They're probably gonna your bosses, but we're gonna get talked to as well, and you're not gonna be able to be running these scans much, either.

08:35

And we're back now to the pipeline with the magic of editing, it's all completed. So you see it's does it. The last one I ran build number 13 here. It failed as well, because of the results.

08:46

They're sorry that that Iraqi was able to find some vulnerabilities.

08:50

And so let's take a look at

08:52

There's a lot of output in here. So you see, you might. This is all the same thing, this staffed output that we had before we take the console. There's a lot of junk in here. Time Scott Scroll to the end to see, See the important part.

09:05

So here's where it was running the Iraqi scanner.

09:09

It finished.

09:09

Here's the results. I'm sorry and then So here is my Python script that I wrote today just showed you on what it's gonna run through. See, it's all its printing out is saying, Here's a Hyatt's Gold. I I see it called path to a virtual nothing more than it's just a basic high cross. I scripting more highs mediums,

09:28

and then they saw you had mentioned here

09:30

summary of each one of these. So there's 10 highs three medium, six lows. I didn't print out the lows and then it returned an error because it says vulnerability found

09:43

and and this this failed right right here. Because of that, because there were some vulnerability. So again we could We could tweet that threshold to say whatever number we could also use, um, or integrated tool.

09:54

I want to do that later on where, doing a verification scan and they use app. But I just want to kind of show you the functionality and ability and all the options we have available.