Veracode API: Getting things done with AWS Lambda and AWS API Gateway
Every day at Conviso both dev and sre teams are working together facing challenges to make AppSec Flow a more complete solution.
Since the beginning of this year, we have integrated a vast number of third-party products.
This time we needed to integrate with Veracode, a well-known application security platform, in order to extract scan results via API and centralize them within AppSec Flow.
At first glance, it was not a hard task, as we knew that Veracode provided a REST API to do the job, nevertheless, it was not as simple as we expected IT to be.
Due to this year’s update in Veracode API authentication mechanism, there was no more Basic-Auth working to communicate with the API. The only way was using HMAC Authentication header that also did not seem to be a big challenge for us as we have worked with it in the past.
Our main problem was that the libraries that Veracode suggested to be used, were not compatible with our backend language, and therefore it wasn’t the solution we were seeking to use in production.
Having to install new dependencies was not a path that we wanted to take.
However, the major challenge was creating the HMAC Authentication header without the need to install dependencies. After digging a bit on Google, we found a collection of open-source scripts listed on Veracode’s Github official account.
We found out one that happened to be compatible with our backend language that at first sight seemed to be a problem-solver, but after doing some testing it was generating a faulty HMAC authentication header, hence, no successful communication with Veracode API.
After some more investigation, we’ve ended up finding a Javascript code that thankfully was generating a valid HMAC Authentication header, just what we needed.
Having solved the first problem we had to find a way to use it in our environment.
As we work with AWS daily, we decided to create a Lambda function and create an endpoint with the API Gateway service, so we can later call it from our application.
For those who are not familiar with these services, here you can read about them:
Bear in mind that the lambda function was created in Node.js and can be triggered by creating an endpoint through AWS API Gateway which you can find in the following link:
In a nutshell, this approach has the objective to help those who work with AWS and do not wish to rely upon specific libraries or languages when facing to integrate with Veracode API.
Author: Daniel Arenas
Conviso Application Security
Reference links for this article:
