Traceable API Security Testing Plugin

Introduction

In the world full of microservices, there are cosmic number of APIs that a single organization exposes for internal and external use. But with the advantage of APIs making microservices architecture possible, there also comes the downside of data abuse, exposure and security. More the APIs exposed, an organization becomes more and more vulnerable to API attacks such as the OWASPs Top 10. To solve this problem TRACEABLE AI helps you by continuously securing your APIs, bringing you deep visibility, real-time protection, and threat analytics. Traceable AI combines distributed tracing and advanced context-based behavioral analytics to deliver modern API security to your cloud-native and API-based applications.

What is AST?

API Security Testing helps in finding vulnerabilities in very early stages, giving developers and Product security engineers more time and context to prioritize mitigation of vulnerabilities and build the resilient systems by scanning APIs for vulnerabilities by changing the data in the existing api specifications as required to introduce vulnerabilities.

Features

Extensive security testing coverage for microservices and APIs.

Generate tests from - Live traffic, OpenAPI Specs or even Recorded traces.

Insertion into DevSecOps with Scan initiation and Vulnerability Management.

Risk based prioritization using asset inventory, threat intel, predictive modeling.

Allow for virtual patching for exploits to shield while Dev creates the long term fix.

1. Installation

This Jenkins plugin for AST allows to run AST scan as a job on local jenkins instance.

1. Navigate to "Manage Jenkins > Manage Plugins > Available".
2. Search for "Traceable AST".
3. Install the plugin.

2. Get Scan Token

To get your scan token go to app.traceable.ai and login.

1. Go to the API testing tab.
2. Press the generate scan button, a dialog appears.
3. In the dialog "Generate new Token" and remember/note the scan token you generate.

3. Add Build Step

1. To add AST scan job, create a new item in jenkins as a Freestyle project.
2. Add Traceable AST as the build step for the job.

3. Fill the configuration fields for the job.
4. Click on Advanced button to fill additional configuration fields.
5. Apply and Save.

Client Token and Traffic environment are required fields and Client Token is the same as the scan token we generated.

4. View Traceable AST Report

1. Build a job, which will run a scan according to the configurations.
2. After the completion of the job, go to the Job's page.
3. the report of the scan will be available as the Traceable AST report tab.

The scan report shows the number of vulnerabilities found for each type of plugin category.

List of Available Configuration Options:

Option	Description
Scan Name (optional)	The name of the scan used to identify the scan
Test Environment (Required)	The environment from which we should analyze the traffic and generate tests. In most of the cases this will be the environment where functional test traffic is coming
Client Token (Required)	Client Token/Scan Token is the token you get from the traceable API testing section while generating a new scan
Traceable CLI Binary Location (optional)	Provide the location of the Traceble AST cli binary, else the latest version will be downloaded from Traceable Artifactory
Plugins (optional)	List of comma seperated identified vulnerabilities, for which you want to test in your scan. (Refer to help in plugins field for the list of available plugins)
Include Url Regex (optional)	Include the URLs which matches the regular expression in the scan
Exclude Url Regex (optional)	Excludes the URLs matching this regular expression in the scan
Target Url (optional)	Specific url for which you want to run the scan
Traceable Server (optional)	Specify the Traceable's server you want to use for the scan
Idle Timeout (optional)	Continuous duration in which if no test suite is received scan is marked completed and stopped
Scan Timeout (optional)	Maximum time a scan is executed,scan is stopped after scan timeout
Scan Suite (optional)	Name of the Scan Suite to run the scan
Include All Endpoints (default asset selected)	All endpoints targeted during the scan
Include Endpoint Ids (commas separated)	Specific endpoints ids targeted during the scan
Include Endpoint Labels (commas separated)	Specific endpoint labels targeted during the scan
Include Service Ids (commas separated)	Specific service ids targeted during the scan
XAST Replay	Replay traffic type used during the scan
Open Api Spec Ids (commas separated)	List of open api spec file ids for generating traffic used during the scan
Postman Collection Ids (commas separated)	Postman collection file IDs for generating traffic during the scan
Postman Environment Ids (commas separated)	Postman environment file IDs with target URLs and traffic environments configuration used during the scan
Hook Names (optional)	Authentication hook to mutate request headers during scan

NOTES:

• Only one type of asset (All Endpoints, Endpoint Ids, Service Ids, Endpoint label names) can be selected during scan
• Only one type of traffic (XAST Replay, Open Api Spec Ids, Postman Collection Ids, Postman Environment Ids) scan be used during scan. By default live traffic will be selected
• Provide the suite name to run the suite scan

Compiling and testing the plugin

Compile and run the plugin automated tests on Java 11 or Java 17 with:

• mvn clean verify

Run the plugin inside a Jenkins environment with Maven HPI Plugin

• mvn -Djetty.port=8080 hpi:run

Code coverage reporting

Code coverage reporting is available as a maven target. Please improve code coverage with tests when you submit.

• mvn -P enable-jacoco clean install jacoco:report to report code coverage

Code formatting

Source code and pom file formatting is maintained by the spotless maven plugin. Before submitting a pull request, confirm the formatting is correct with:

• mvn spotless:apply