How to Integrate Netsparker Cloud with an Issue Tracking System

Integrating Netsparker Cloud with an issue tracking system means that you can have vulnerabilities identified during a web application security scan automatically created as issues in your issue tracking system.

This type of integration in Netsparker Cloud is called Endpoint Integration. Currently, Netsparker supports out of the box integration for TFS, JIRA, Github and Manuscript.

Configuring Endpoint Integration

In this example, for the purposes of illustration, we will use two websites and two different JIRA projects, to illustrate how you can configure multiple integrations.

Introduction to the Test Setup

  • The first website is a PHP website, for which we have a Kanban Project on JIRA. For this website, we will configure the integration in such a way that all vulnerabilities of Medium or higher severity are automatically recreated in JIRA.
  • The second website is an ASP website, for which we have a Scrum Project on JIRA. For this website, we will configure the integration in such a way that all vulnerabilities of Important or higher severity are automatically recreated in JIRA.

Configuring the Integration

Integrations, regardless of the issue tracking system used, are configured in Netsparker Cloud.

To configure an integration
  1. From the main menu, click Integrations, then New Integration. The Issue Tracking Systems section is displayed.

Configuring the Integration - New Integration

  1. In this example, we are integrating Netsparker Cloud into JIRA. Click Integrate JIRA. The New Integration window is displayed.

Integrating Netsparker Cloud into JIRA

  1. Complete the following project details: Name, URL, Username or Email, Password and the remainder of the project details. Hover the mouse over the tooltip icon to view additional details for each one.
  2. Click Save.
  3. Alternatively, you can also test the integration with a sample issue by clicking Create Sample Issue. If the issue is recreated successfully, a green success notification will be displayed together with a clickable issue number, at the top of the window (in this example, 'KP-34').

 Create Sample Issue

  1. Click the issue number in the green success notification, to open the issue in a new browser tab in your issue tracking system. (This shows a sample JIRA issue.)

The issue Netsparker Cloud sent to JIRA

  1. To add additional projects (such as an ASP project) repeat the instructions.

Managing Integrations

Once you have configured the integrations, you can view them in the Manage Integrations window (from the main menu, click Integrations, then Manage Integrations).

You can use the buttons to Clone, Edit or Delete an existing integration.

Two JIRA projects have been integrated into Netsparker Cloud

Configuring the Automatic Recreation of Vulnerabilities

Now that Integrations for both projects are configured, you can configure the associated Notifications. Notifications allow us to configure rules so that when vulnerabilities with a specified severity are detected, they are created in your issue tracking system.

Configuring the Automatic Recreation of Vulnerabilities

Netsparker Cloud Notifications

Configuring a Notification to Report Vulnerabilities in an Issue Tracking System

In this example, we will only configure a notification for a PHP project. The steps for creating a notification for an ASP project are the same.

To create a new notification
  1. From the main menu, click Notifications, then New Notification.

Configuring a Send To notification to send vulnerabilities to JIRA 

  1. Complete the following fields:
    • Name
    • Event (the event after which it should be sent, usually when the scan is finished; only the Scan Completed event supports Issue Tracking System endpoints)
    • Lowest Severity (vulnerability level that triggers it to be sent to the issue tracking system)
    • Scope (in this example, just one website)
    • Website
    • Integration Endpoints (in this example, a JIRA - Kanban project)
  1. Click Save.

Viewing Notifications While Creating a New Scan

Once you have configured notifications, you can view them when creating a scan for that target (from the Scans menu, click New Scan).

In our example, if any Critical, Important and Medium severity vulnerabilities are found during a scan, they will be recreated in the newly-created project ('JIRA - Kanban Project').

The configured JIRA notifications can be reviewed in the Notifications tab

Reviewing the Scan Results and Imported Vulnerabilities

If the vulnerability has already been automatically created in your issue tracking system (because it meets the criteria configured in Configuring Endpoint Integration), the issue number will be displayed as per the below screenshot.

Once you have configured the integration, a new Send To button is added to every reported vulnerability listed in the scan results. This enables you to send the vulnerability to any of the integrated projects.

Sending a vulnerability to JIRA

In this example, all vulnerabilities in this scan with Medium (or higher) severity have already been automatically sent to the issue tracking system. You can view the details saved in your issue tracking system by clicking on the issue number.

Sending Vulnerabilities Manually to an Issue Tracking System

Not every vulnerability is created in your issue tracking system, because not every vulnerability will have met the configured criteria.

To manually send a vulnerability to an issue tracking system
  1. From the Scans menu, click Recent Scans, then Report next to the relevant scan.
  2. In the Technical Report section, click Send To, and from the dropdown, select the relevant project.
  3. Once the issue is imported into your issue tracking system, you will be notified by Netsparker Cloud. This notification will include the issue number, as illustrated.

 A confirmation that a vulnerability was successfully sent to JIRA

Sending Multiple Vulnerabilities Manually

You can send multiple vulnerabilities manually to your issue tracking system.

To manually send a vulnerability to an issue tracking system
  1. From the main menu, click Issues, then To Do.
  2. Check the checkbox for each issue you want to send.
  3. Click Send To and from the dropdown, select the relevant project.
  4. The issues are imported into your issue tracking system.

Sending multiple vulnerabilities as issues to JIRA

For more information on managing issues in Netsparker Cloud refer to Using the Netsparker Cloud Web Vulnerability Tracking System.

Tracking and Logs of Issues Sent to Issue Tracking System

When a vulnerability is sent to your issue tracking system, Netsparker Cloud creates a record in the Issue’s history, as illustrated.

A log entry is created when a vulnerability is sent to JIRA

In our example, there are two records related to the integration:

  • One of them was sent manually by a user (username recorded: 'Jira User')
  • The other log entry was generated when the issue was automatically sent via the configured Notification we created before (username: 'System')

Netsparker

Dead accurate, fast & easy-to-use Web Application Security Scanner

GET A DEMO