How to Integrate Netsparker Cloud with an Issue Tracking System

Integrating Netsparker Cloud with an issue tracking system means that you can have vulnerabilities identified during a web application security scan automatically created as issues in your issue tracking system.

This type of integration in Netsparker Cloud is called Endpoint Integration. Currently, Netsparker supports out of the box integration for TFS, JIRA, Github and Fogbugz.

Configuring Endpoint Integration

In this example, for the purposes of illustration, we will use two websites and two different JIRA projects, to illustrate how you can configure multiple integrations.

Introduction to the Test Setup

  • The first website is a PHP website, for which we have a Kanban Project on JIRA. For this website, we will configure the integration in such a way that all vulnerabilities of Medium or higher severity are automatically recreated in JIRA.
  • The second website is an ASP website, for which we have a Scrum Project on JIRA. For this website, we will configure the integration in such a way that all vulnerabilities of Important or higher severity are automatically recreated in JIRA.

Configuring the Integration

Integrations, regardless of the issue tracking system used, are configured in Netsparker Cloud.

To configure an integration
  1. From the Notifications menu, click New Integration. The Integrate Netsparker Cloud window is displayed.

 

  1. In this example, we are integrating Netsparker Cloud into JIRA. Click Integrate JIRA. The New Integration window is displayed.

Configuring the JIRA integration parameters 

  1. Complete the following project details: Name, URL, Username or Email, Password and Issue type. Hover the mouse over the tooltip icon to view additional details for each setting.
  2. Click Save.
  3. Alternatively, you can also test the integration with a sample issue by clicking Create Sample Issue. If the issue is recreated successfully, a green success notification will be displayed together with a clickable issue number, at the top of the window (in this example, 'KP-34').

 A sample issue was successfully created in JIRA

  1. Click the issue number to open the issue in a new browser tab in your issue tracking system. (The screenshot displays a sample JIRA issue.)

The issue Netsparker Cloud sent to JIRA

  1. To add additional projects (such as an ASP project) repeat the the instructions.

Managing Integrations

Once you have configured the integrations, you can view them in the Notification Integrations window (from the Notifications menu, click Manage Integrations).

You can use the buttons to Clone, Edit or Delete an existing integration.

Two JIRA projects have been integrated into Netsparker Cloud

Configuring the Automatic Recreation of Vulnerabilities

Now that Integrations for both projects are configured, you can configure the associated Notifications. Notifications allow us to configure rules so that when vulnerabilities with a specified severity are detected, they are created in your issue tracking system.

Configuring the Automatic Recreation of Vulnerabilities

Netsparker Cloud Notifications

Configuring a Notification to Report Vulnerabilities in an Issue Tracking System

In this example, we will only configure a notification for a PHP project. The steps for creating a notification for an ASP project are the same.

To create a new notification
  1. From the Notifications menu, click New Notification. The New Notification window is displayed.

Configuring a Send To notification to send vulnerabilities to JIRA 

  1. Complete the following fields:
    • Name
    • Event (after which it should be sent, e.g. when the scan is finished)
    • Lowest Severity (vulnerability level that will trigger it to be sent to the issue tracking system)
    • Scope (in this example, just one website)
    • Website
    • Integration Endpoints (in this example, a JIRA - Kanban project)
  1. Click Save.

Viewing Notifications While Creating a New Scan

Once you have configured notifications, you can view them when creating a scan for that target (from the Scans menu, click New Scan).

In our example, if any Critical, Important and Medium severity vulnerabilities are found during a scan, they will be recreated in the newly-created project ('JIRA - Kanban Project').

The configured JIRA notifications can be reviewed in the Notifications tab

Reviewing the Scan Results and Imported Vulnerabilities

If the vulnerability has already been automatically created in your issue tracking system (because it meets the criteria configured in Configuring Endpoint Integration), the issue number will be displayed as per the below screenshot.

Once you have configured the integration, a new Send To button is added to every reported vulnerability listed in the scan results. This enables you to send the vulnerability to any of the integrated projects.

Sending a vulnerability to JIRA

In this example, all vulnerabilities in this scan with Medium (or higher) severity have already been automatically sent to the issue tracking system. You can view the details saved in your issue tracking system by clicking on the issue number.

Sending Vulnerabilities Manually to an Issue Tracking System

Not every vulnerability is created in your issue tracking system, because not every vulnerability will have met the configured criteria.

To manually send a vulnerability to an issue tracking system
  1. From the Scans menu, click Recent Scans, then Report next to the relevant scan.
  2. In the Technical Report section, click Send To, and from the dropdown, select the relevant project.
  3. Once the issue is imported into your issue tracking system, you will be notified by Netsparker Cloud. This notification will include the issue number, as illustrated.

 A confirmation that a vulnerability was successfully sent to JIRA

Sending Multiple Vulnerabilities Manually

You can send multiple vulnerabilities manually to your issue tracking system.

To manually send a vulnerability to an issue tracking system
  1. From the Issues menu, click To Do.
  2. Check the checkbox for each issue you want to send.
  3. Click Send To and from the dropdown, select the relevant project.
  4. The issues are imported into your issue tracking system.

Sending multiple vulnerabilities as issues to JIRA

Note: If you send an issue that was already sent by someone else, or created automatically in JIRA, Netsparker Cloud will not create a duplicate entry.

For more information on managing issues in Netsparker Cloud refer to Using the Netsparker Cloud Web Vulnerability Tracking System.

Tracking and Logs of Issues Sent to Issue Tracking System

When a vulnerability is sent to your issue tracking system, Netsparker Cloud creates a record in the Issue’s history, as illustrated.

A log entry is created when a vulnerability is sent to JIRA

In our example, there are two records related to the integration:

  • One of them was sent manually by a user (username recorded: 'Jira User')
  • The other log entry was generated when the issue was automatically sent via the configured Notification we created before (username: 'System')

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

DOWNLOAD DEMO TRY ONLINE SCAN