Security testing is an essential part of the SDLC and one that cannot be neglected. With DevOps practices taking centre-stage for software development, adding security testing to your CI/CD pipeline is more significant as you ship new features faster than ever before.
The faster release cycles shouldn’t come at the expense of compromising security. This is where the importance of adopting a DevSecOps culture comes in. By finding and fixing security issues early in the development process, companies can reduce the cost and complexity associated with application security.
By incorporating a DevSecOps approach, you can add security testing capabilities to your DevOps practice and make everyone on the team accountable for ensuring security.
Application security should be addressed right from development through production to ensure continuous protection.
If you’re currently using or planning to set up Azure DevOps for continuous integration and delivery, how do you ensure that your application is safe?
Automated penetration testing can be executed during deployment to a development environment to make sure that the running application does not contain any security vulnerabilities.
We’ll be looking into how you can integrate Beagle Security for building application security in your Azure DevOps pipeline.
Beagle Security for Azure DevOps
Beagle Security integrates with Azure Pipelines and Azure Boards, amongst the suite of tools Azure DevOps offers.
This means that you can trigger security tests in your Azure Pipeline and receive the security issues directly on your Azure Boards once a security test is completed.
To get started, you’ll have to first sign up for an account on Beagle Security.
Then, you can head over to the Visual Studio Marketplace and add the Beagle Security Test extension. After installing the extension, you’ll be able to add it to your Azure Pipelines Task to trigger security tests for finding vulnerabilities as part of your CI/CD workflow.
And by completing the integration with Azure Boards, you can receive the vulnerabilities on your Boards Project.
Setting up Beagle Security within Azure Pipelines
To set up Beagle Security within Azure Pipelines, first, you’ll need to log in to your Beagle Security account and add the application you want to security test.
After that, head over to the Settings page and generate your Access token.
You can assign the necessary scope and expiry date and create your access token.
Next up, go to the particular application’s settings and copy the application token from there.
Now, open the Azure DevOps Project you want to add the extension to. You can either configure it in the release pipeline or build pipeline.
For adding Beagle Security to your release or build pipeline, follow these steps:
Navigate to Pipelines → Releases/Builds
Create a new pipeline or edit an existing pipeline and Add a task
Search for Beagle Security Test and click Add.
After that, you’ll have to provide the access token and application token you generated from your Beagle Security account. Once that’s added, the penetration test will run automatically when you trigger your release or build pipeline.
Integrating Azure Boards with Beagle Security
Getting to know the vulnerabilities in your application right in the CI/CD pipeline is great but what’s equally important is getting it addressed correctly by your development team.
By integrating Azure Boards with Beagle Security, you can get your team on the same page. The penetration test results come with detailed descriptions of the vulnerabilities, proof of how it was exploited and recommendations on how to fix it.
You can then start assigning vulnerabilities to developers on the team who are in charge of fixing it right within Azure Boards.
To set up the integration, go to your Beagle Security account. Then, go to the particular application’s settings and click on Integrations. There you’ll be able to find Azure Boards listed.
Follow the steps below to complete the integration:
Enter the Azure Boards URL and API token (Follow these instructions for generating your API token in Azure DevOps)
Select your Azure Boards Project
Select the Work Item Type from the available options
Select the relevant Start State and End State
Finally, click on Confirm to complete the integration.
Once that’s done, penetration tests will be automatically triggered in your Azure Pipelines and after completion, you’ll receive all the vulnerabilities to your Azure Boards.
Closing Thoughts
DevSecOps practices enable your entire team to incorporate security capabilities throughout the entire lifecycle of your application.
Establishing continuous security validation into your Azure DevOps pipeline can allow your application to stay secure while you improve the deployment frequency to meet the needs of your business to stay ahead of the competition.
