Ostorlab Security And Privacy Scanner

Easily integrate security and privacy testing into your mobile application pipeline builds using the Ostorlab Jenkins Plug-in. Using this plugin you can upload Android and iOS applications and perform static (statically analyze the application without a test device), dyanmic (run and assess the application on real device) and backend (assess backend interaction) scans.

Prerequisites

Usage

Generate an API key

  1. Go to the API keys menu
  2. Click the new button to generate a new key
  3. Copy the api key (You can add a name and an expiry date to your key)
  4. Click the save button to save your key

Api key Step1

Add Ostorlab's API key to Jenkins Credentials

  1. From the main Jenkins dashboard, click the Credentials link.

    Api key Step1

  2. Add new global credentials.

    • In the Kind drop-down list, select Secret text.
    • Enter apiKey in the ID field
    • Enter your API key in the Secret field.
    • Enter a description to identify the key

Add Credentials

Define Jenkins Job

Api key Step1

  1. Add a Secret text binding to your Jenkins project configuration and enter the following information:

    Api key Step1 Api key Step1 Api key Step1

    • Variable: Enter the name apiKey
    • Credentials: Select specific credentials and choose the one defined in step 1
  2. Add a Run Ostorlab Security Scanner build step to your Jenkins project configuration and enter the following information:

    Api key Step1 Api key Step1

    • File Path: Enter the full path to the mobile application file that you want to scan.
  3. Click on Advanced settings to configure your run:

    • Title: Enter the mobile application path
    • Platform: Select whether the platform is Android or iOS
    • Plan: Select the type of the scan, SAST, DAST or SAST+DAST+BACKEND
    • Wait for Results: Suspend job until security analysis completes or times out
    • Max Wait Time (in minutes): Duration to wait before the job times out
    • Break Build on higher Security Risk threshold: If selected, the Jenkins job will fail if the findings risk equals or exceeds the specified thresholds (see below).
    • Security Risk Threshold: Minimum Risk threshold that will cause a build to fail Api key Step1
  4. Kick off build Kick off your mobile builds and you will see the scan risk in the artifacts folder. Api key Step1

Define Jenkins Pipeline

Api key Step1

Sample step to run the scan

pipeline {
    agent any
    environment {
        apiKey = credentials('apiKey')
        jsonCredentials = "${params.Credentials}"
    }
    parameters { string(name: 'Credentials', defaultValue: '[{"name": "username", "value": "MyUsername"}, {"name": "password", "value": "MyPassword"}]', description: '') }
    stages {
        stage('security-test') {
            steps {
                step([$class: 'OPlugin', apiKey:env.apiKey, Jsoncredentials:env.jsonCredentials, filePath: '/home/asasas/IdeaProjects/ostorlab-plugin/work/workspace/as/InsecureBankv2.apk', scanProfile: 'Fast Scan', platform: 'android'])
            }
        }
    }
}

The list of parameters supported:

  • filePath: (Mandatory) Enter the mobile application path
  • apiKey: (Mandatory) Enter the API key to authenticate the API requests.
  • scanProfile: Select the scan profile to run. You can choose between Fast Scan for rapid static analysis or Full Scan for full Static, Dynamic and Backend analysis.
  • platform: Set the platform type [android, ios]
  • waitForResults: (Optional) Suspend job until security analysis completes or times out
  • waitMinutes: (Optional) Duration to wait before the job times out
  • breakBuildOnScore: (Optional) If set to true, the step will fail if the findings risk equals or exceeds the thresholds.
  • riskThreshold: (Optional) Minimum Risk threshold that will cause a build to fail
  • JsonCredentials: (Optional) Credentials to use for the dynamic testing. It should be a string as valid JSON.
    [{"name": "username", "value": "MyUsername"}, {"name": "password", "value": "MyPassword"}]
    
  • title: (Optional) Enter the scan title