Ethiack Blog

Catch them early: Integrate Automated Pentesting in your CI/CD Pipeline

Written by Hugo Ferreira | 16/05/24 10:00

If there’s a good time to catch a vulnerability, it’s before it even reaches production.

Our AI Automated Pentesting was always focused on testing your external assets from the perspective of an external attacker, either in a black-box or grey-box scenario. However, the best moment to test is before the code even goes to production.

This is why we launched integrations with GitHub, GitLab, and Jenkins. In this article, we go over why these integrations matter, how they work, and how to set them up.


Testing in your CI/CD Pipeline lowers your Risk Score

Our goal with launching these integrations was to enable you to create a more robust and secure pipeline. Our Artificial Hackers already prove to be extremely powerful, having less than 0.5% false positives, and detecting, on average, impactful vulnerabilities 20% of the time – that is, with a CVSS score above or equal to 4.0.

After enabling one of the integrations, you’ll have this same technology testing your code alongside all your other tests - before any new code hits production.

If vulnerabilities are found, the CI/CD pipeline will fail. Naturally, you can customize your preferences: you can let findings with a CVSS score equal to 0 pass while blocking any commits that contain vulnerabilities.

After deployment your code will still be tested in a black-box scenario and, if you enabled it in the Portal, in a grey-box scenario. This includes any new vulnerabilities we add for the Artificial Hackers to learn.

Having these integrations in place greatly improves your security posture, as attackers are using automated testing tools to detect vulnerabilities. Having vulnerabilities exposed in production means they could be found, and exploited, by them.

 

Setting Up the Integrations

Set-up instructions vary depending on whether you use Github, GitLab, or Jenkins. We’ll explain the instructions for Github, but you can find detailed instructions for Gitlab and Jenkins.

 

Get Started with our CI/CD Integrations


As you’ve realized by now, using our Artificial Hackers to test your assets before deployment carries huge security advantages. Therefore, I’d like to lay out what you should do next:

  • If you’re not already registered in the Portal, click here to create your account and start your 30-day trial.
  • If you’re interested in enabling one of the integrations, schedule a call with our sales team. They’ll guide you through the steps.
  • Once activated, follow the steps in our Knowledge Base or reach out to our support team through the live chat in case you have further questions.

And that’s it! Start testing for vulnerabilities before attackers even have the chance to spot them.

Stay secure!
View full post