DevSecOps : Integrating Burp Suite Scanner With Jenkins
Burp Suite Enterprise Edition Tool
- Headless server installation (24/7 availability).
- Scans can be triggered per commit, on a schedule, or as part of your deployment pipelines.
- Scalable pool of scan agents allowing huge scalability and parallel scanning.
- Visual reporting and central aggregation of scan results.
- Multi-user, with role-based access control.
- Easy integration with CI and other systems via the REST API to automatically launch vulnerability scans and can be configured to break software builds based on the severity of discovered issues.
Note: Burp Suite Professional does not have a suitable design or architecture for use in CI integration. Users wishing to use Burp Suite to perform scanning within their CI builds should use Burp Suite Enterprise Edition — Portswigger.
CI/CD integration
Step: 1 → Create REST API User
- Login to burp suite enterprise tool and create a new user for initiate scans. Keep in mind “Login type” of the user should be “API key” and add the user to the default “Scan initiators” group.
- Once the API user is created, API key will be generated. User will be presented with a dialog which allows user to copy the user’s API key to the clipboard.
Step: 2 → Download Burp Plugin for Jenkins
- Download burp plugin for Jenkins from Portswigger official website by following below link.
https://portswigger.net/burp/extender/ci-integration
- Click Download now button to download the plugin. Unzip the downloaded file and save .hpi format.
Step 3 → Add Burp Enterprise Plugin to Jenkins
- Login to Jenkins as administrator
- Click “Manage Jenkins” → “Manage Plugins”
- Click on Advanced tab
- Click Choose file button and Select .hpi Burp plugin file
- Click Upload and Restart the Jenkins
Step 4 → Configure Scan Settings
- To configure the scan settings, copy API link and visit the same.
- Make granular scan as per our requirement by clicking on POST Verb label.
- Provide Scan URLs, name, scope-include/exclude inputs
- Provide application_logins and scan_configurations inputs
- Copy the generated JSON settings from the curl request and save it.
Step 5 → Configure Jenkins Settings
- Go to the Jenkins dashboards and select the existing project.
- Click Configure
- Now go to the Build section and click on Add build step → Execute shell
- Specify the shell command
echo BURP_SCAN_URL = http://target-website.com
- Under Build section and click on Add build step → Burp scan
- Specify previously copied API URL with API key and Scan definition. Click Apply.
Step 6 → Execute Jenkins Build
- Execute the project build.
Step 7 → View Result
- We can monitor progress of the scan and also view the scan results on Scans page in enterprise edition tool.
Note : We can also fetch the results from Burp Enterprise using curl, which will retrieve the JSON data of scan results. To fetch the JSON data we need to make use of following GET request in REST API.
Conclusion
Burp Suite Enterprise is a powerful application security scanning tool to integrate within DevSecOps environment. Enterprise Edition offers fully automated and scheduled scanning, extreme scalability, and integration with any development environment. Also it ensures that all committed code is tested for security flaws. If a weakness is found, Burp will break the build. Resulting in negates the need for last-minute security tests.
References
https://portswigger.net
