AppSec with Jenkins

Forked OWASP’s Vulnerable-Web-Application for this excersise. The plan is to have security tools run in Jenkins every time we have a new build from the project.

Our security team will track diff’s of the security tooling output to detect builds that introduced new vulnerabilities.

Jenkins will run the new build with docker and execute scan(s).

We will be using the Web Application Security Scanner for this excersise. The target will be Vulnerable-Web-Application’s level 1 XSS page.

As expected, Arachni has detected the XSS vulnerability.

We can use this output to make subsequent code changes to remediate the vulnerability.