How to Get Instant Java Web Security Vulnerability Alerts in GitHub
Learn more about adding vulnerability alerts in GitHub.
Join the DZone community and get the full member experience.Join For Free
If you're building Java web applications or Java Web API's and you want to do your own security testing, wouldn't you rather not run a scanner and wait forever for a PDF report full of all false positives? And wouldn't it be great if those vulnerabilities showed up automatically in GitHub Issues?
We're going to set up automatic and extremely powerful security testing using a tool called Contrast Community Edition, which uses the latest IAST (Interactive Application Security Testing) technology. My company made CE free and full-strength for everyone in order to bring great security to all the developers in the world that can't afford commercial static and dynamic scanners.
The first step is to sign up for a free account at https://www.contrastsecurity.com/ce. Once you get your account, the first thing you want to do is download the Contrast agent. This works just like New Relic or AppDynamics.
Once you download contrast.jar, you can add it to your application with the standard -javaagent:contrast.jar instrumentation flag. Just add this JVM flag to however you launch the JVM.
For example, with Spring Boot applications, you might launch them like this:
java -javaagent:contrast.jar -jar spring-petclinic.jar
Or if you can't figure that out, you might try setting an environment variable, like this:
That's it. Now every time you run the application, Contrast CE will do all the security testing in the background. You don't have to change anything in your code or anything about how you built, test, or deploy your application.
The next thing to do is set up a GitHub integration. In the Contrast dashboard, go to your profile menu (top right) and find the organization settings. Choose the integrations option and you can set up integrations with JIRA, Slack, Visual Studio, Eclipse, etc.
To set up an integration with GitHub issues, all we have to do is enter your GitHub information using https://api.github.com. When you test the connection, then you can select the appropriate GitHub repo. You can configure the types or severities of vulnerabilities that you want to be opened as tickets, but I suggest starting with everything. Then, save your configuration and you're all set.
To do security testing, all you have to do is use your application normally. You can use manual testing, unit tests, a Selenium test suite, or another automated testing. You don't have to hack the application; Contrast evaluates your code in the background. So it's really easy to use and quite powerful. After you've browsed around the application a little bit, go back to GitHub and check your issues. Later, you can hook it up with Maven and Jenkins to run every time you build and test.
Most projects will have a list of new security issues after just a few minutes of browsing around. Contrast covers a broad range of security vulnerabilities, including cross-site request forgery, stored cross-site scripting, Hibernate injection, hard-coded passwords, and the rest of the OWASP Top Ten. The coverage is really amazing.
Each new security issue contains all the details you need to fix it, all the way to the exact line of code, specific SQL query, etc. — you can see exactly what happened. You'll also get great remediation advice and the full HTTP request to use as a test case. You can see these issues in the Contrast dashboard, too.
There's a video of all this here. If you have any questions, you can contact me on Twitter @planetlevel. Good luck!
Opinions expressed by DZone contributors are their own.