NowSecure provides purpose-built, fully automated mobile application security testing (static and dynamic) for your development pipeline. By testing your mobile application binary post-build from Azure, NowSecure ensures comprehensive coverage of newly developed code, third party components, and system dependencies.
NowSecure quickly identifies and details real issues, provides remediation recommendations, and integrates with ticketing systems such as Azure DevOps and Jira.
This integration requires a NowSecure platform license. See https://www.nowsecure.com for more information.
First, find this extension in the Azure DevOps Marketplace
Then install it following Microsoft's instructions on installing Azure DevOps Marketplace extensions.
NOTE: Currently, compatibility is limited to either Windows / Linux running an X64 architecture, or MacOS on ARM.
In order for the extension to work, please make sure you are running on an appropriate vmImage.
To add this component to your CI/CD pipeline, the following should be done:
-
Get a token from your NowSecure platform instance. More information on this can be found in the NowSecure Support Portal.
-
Identify the ID of the group in NowSecure Platform that you want your assessment to be included in. More information on this can be found in the NowSecure Support Portal.
-
Add an Azure DevOps Secret Variable to your project named,
NS_TOKEN. Set this to the value of the token created above. -
Add the following include entry to your project's CI/CD configuration and set your input values:
- task: nowsecure-azure-ci-extension@<tag> inputs: # Required Inputs group: "<group-ref>" token: $(NS_TOKEN) binary_file: "<path-to-binary>" # Recommended Optional Inputs minimum_score: 70 analysis_type: static artifact_dir: '$(build.artifactStagingDirectory)/NowSecureArtifacts'
Where:
taskis specifying the task to run. In the example,<tag>is the release tag of thenowsecure-azure-ci-extensionthat you want to use. At time, NowSecure recommends setting this to0.groupis the NowSecure platform group to use.<group-ref>is the group ID acquired above.tokenis the token used to communicate with the NowSecure API. This token should be the Azure DevOps Secret Variable set above.binary_fileis the binary that is to be uploaded to NowSecure. In the example,<path-to-binary>should be set to the filepath for the IPA/apk that is to be uploaded. Ideally this will be an artifact of a previous build step in a pipeline.minimum_scoreis the score that your assessment needs to exceed. If it does not, your pipeline will fail. This is valuable to ensure that your application's security scores do not decline as new versions are released.analysis_typeis the type of assessment that you want to run. By default, NowSecure recommends running a static assessment on pull requests and a full assessments on a tagged release.artifact_diris the directory where assessment results should be stored. In the example above, artifacts are stored in a subdirectory of the default$(build.artifactStagingDirectory)namedNowSecureArtifacts.
The NowSecure Azure CI Extension supports the following parameters:
| Name | Mandatory | Type | Description | Default Value |
|---|---|---|---|---|
group |
true | string | Defines the group reference that is used to trigger assessments. Information on how to get the group reference can be found in theNowSecure Support Portal | |
token |
true | string | Defines the token used to communicate with the NowSecure API. This token should be stored as a secret. Information on how to create a token can be found in the NowSecure Support Portal. | |
binary_file |
true | string | Defines the path to the mobile application binary to be processed by NowSecure | |
ui_host |
false | string | Defines the NowSecure base UI to use. This will not change unless you are leveraging a single tenant. | https://app.nowsecure.com |
api_host |
false | string | Defines the NowSecure base API to use. This will not change unless you are leveraging a single tenant. | https://lab-api.nowsecure.com |
log_level |
false | string | Defines the log level set for the NowSecure analysis task. | info |
analysis_type |
false | string | Defines the type of analyst that you want to run. Options are static for a static only assessment or full for both a static and dynamic assessment. |
static |
artifacts_dir |
true | string | Defines the directory for nowsecure artifacts to be output to. In the case of the default assessment results would be ./artifacts/nowsecure/assessment.json |
|
polling_duration_minutes |
false | number | Defines the length of time (in minutes) to poll for job completion. | If analysis_type is static, 30. If full, 60 |
minimum_score |
false | number | Defines the score under which an assessment will fail | -1 |
The following is a sample pipeline that builds an Android application and runs a static assessment on it
pool:
vmImage: "ubuntu-latest"
steps:
- task: Gradle@4
inputs:
cwd: ""
wrapperScript: "gradlew"
gradleOpts: "-Xmx3072m"
publishJUnitResults: false
testResultsFiles: "**/TEST-*.xml"
tasks: "assembleDebug"
- task: CopyFiles@2
inputs:
contents: "**/*.apk"
targetFolder: "$(build.artifactStagingDirectory)"
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: "$(build.artifactStagingDirectory)"
artifactName: "apk"
artifactType: "container"
- task: [email protected]
inputs:
# Required inputs
group: "0000-00000-0000-0000"
token: $(NS_TOKEN)
binary_file: "$(build.artifactStagingDirectory)/binary.apk"
# Common optional parameters
minimum_score: 70
analysis_type: static
polling_duration_minutes: 30
artifact_dir: '$(build.artifactStagingDirectory)/NowSecureArtifacts'Note: The nowsecure-azure-extension task is the main task for security analysis and other tasks above are used to generate Android apk file.
You can add task to publish artifacts (API results) from the NowSecure Azure Extension task as shown:
- task: PublishBuildArtifacts@1
inputs:
pathToPublish: "$(build.artifactStagingDirectory)/NowSecureArtifacts"
artifactName: "nowsecure_results"
artifactType: "container"To enable debug-level logging for troubleshooting of the NowSecure Azure Extension, add the log_level input with the 'debug' option as shown below:
- task: nowsecure-azure-extension@1
inputs:
# Required inputs
group: "0000-00000-0000-0000"
token: $(NS_TOKEN)
binary_file: "$(build.artifactStagingDirectory)/binary.apk"
# Enable Debug Level Logging
log_level: "debug"