{"id":10342,"date":"2018-12-04T17:02:34","date_gmt":"2018-12-04T17:02:34","guid":{"rendered":"http:\/\/abstracta.us\/blog\/?p=10342"},"modified":"2025-05-05T21:23:33","modified_gmt":"2025-05-05T21:23:33","slug":"security-testing-continuous-integration-vaddy","status":"publish","type":"post","link":"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/","title":{"rendered":"Security Testing in Continuous Integration with VAddy"},"content":{"rendered":"<h1><span style=\"font-weight: 400;\">Integrate VAddy with your CI tools for robust security checks, automatically<\/span><\/h1>\n<p><span style=\"font-weight: 400;\">If you have Continuous Integration in place, it\u2019s a great idea to add in some <\/span><a href=\"https:\/\/abstracta.us\/insights\/guide-continuous-testing\/security-testing#breadCrumb\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">security checks to the pipeline<\/span><\/a><span style=\"font-weight: 400;\">. We all know about the threat that hacks and data breaches pose for every business. According to a 2017 survey by <\/span><a href=\"https:\/\/www.businesswire.com\/news\/home\/20170928005774\/en\/U.S.-Businesses-Hacked\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">HSB<\/span><\/a><span style=\"font-weight: 400;\">, over half of all US businesses have been hacked. There\u2019s no easier way to lose the confidence of your users and clients than suffering a hack!<\/span><\/p>\n<p><span style=\"font-weight: 400;\">So, in this post, I\u2019ll share an easy way to use <\/span><a href=\"https:\/\/vaddy.net\/\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">VAddy<\/span><\/a><span style=\"font-weight: 400;\"> for automating the following security tests with this tool that works in their Cloud:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">XSS<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">SQL Injection<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Remote File Inclusion<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Directory Traversal<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Command Injection<\/span><\/li>\n<\/ul>\n<h2><span class=\"ez-toc-section\" id=\"Why_VAddy\"><\/span><strong><span style=\"color: #00b674;\">Why VAddy?<\/span><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">According to its website, VAddy helps developers to code securely and find vulnerabilities in new features while preventing teams from running security scans at the last minute and identify bad coding trends. It\u2019s useful because it\u2019s compatible with all languages, integrates easily with CI tools like Jenkins and TravisCI, and performs security checks and audits automatically on every build.<\/span><\/p>\n<p><span style=\"font-weight: 400;\">So, let\u2019s dive in!<\/span><\/p>\n<p><span style=\"font-weight: 400;\">Note: if you want to get more details on how to use VAddy, <\/span><a href=\"https:\/\/support.vaddy.net\/hc\/en-us\" target=\"_blank\" rel=\"noopener\"><span style=\"font-weight: 400;\">check the documentation<\/span><\/a><span style=\"font-weight: 400;\">. What we want to share here is a brief introduction to let you get an idea of how easy it is to integrate the tool into your pipeline.<\/span><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Setting_Up_VAddy\"><\/span><strong><span style=\"color: #00b674;\">Setting Up VAddy<\/span><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">Once you create a VAddy account, you\u2019ll need to declare the application that you want to test. To do so, you need to add a new server inside the VAddy administration console. Once that\u2019s done, you have to verify that you own this server so that not just anyone can scan your site. For this, VAddy provides a verification file that must be added to the web root of the web application that you want to scan. Then, if you enter your administration console, you can see that the server is now verified.<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-1-1024x189-min.png\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-10343\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-1-1024x189-min-1024x189.png\" alt=\"VAddy screenshot\" width=\"1024\" height=\"189\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">Once you have the server verified, you need to define what you want to scan inside the server. First of all, you must define if you want to do a full scan of the site or if you want to check only some resources. For this, there is a section in VAddy called Proxy Crawling where it can be done.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">There are two ways to define the URL set to be scanned:<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><b>Full Scan<\/b><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">1. Configure your browser to use the following proxy: 54.92.84.100:10080.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">2. After that, you can see the instructions in the following screen, where it indicates the URL to start crawling.<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/crawl_04_en-min.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-10344\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/crawl_04_en-min.png\" alt=\"VAddy crawl\" width=\"710\" height=\"388\" \/><\/a><\/p>\n<p><a href=\"https:\/\/support.vaddy.net\/hc\/en-us\/articles\/115005935107-Step-2-Crawling\" target=\"_blank\" rel=\"noopener\">Image source<\/a><\/p>\n<p><span style=\"font-weight: 400;\">3. Access the URLs that you want to test from your site, for example: http:\/\/open-cart.azurewebsites.net<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">4. Go to the URL to stop recording the \u201cCrawl Data\u201d that is shown in the image above.<\/span><\/p>\n<p><b>Simple Scan<\/b><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">VAddy allows you to manually enter up to 3 user-defined URLs from its interface, as shown here:<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-2-1024x432-min-1.png\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-10345\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-2-1024x432-min-1-1024x432.png\" alt=\"VAddy simple scan\" width=\"1024\" height=\"432\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">After you define the URLs to test, records will be generated in VAddy with the defined set of URLs (Crawl Data) by either of those two methods.<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-3-1024x188-min.png\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-10346\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-3-1024x188-min-1024x188.png\" alt=\"VAddy crawl status\" width=\"1024\" height=\"188\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">To run the site scan from the VAddy interface, you must indicate the Crawl ID on which you want to test. Optionally, you can indicate a label so that you don\u2019t have to remember which ID is related to which set of URLs.<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-4-768x478-min-1-e1543943246156.png\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-10347\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-4-768x478-min-1-e1543943246156.png\" alt=\"run VAddy scan\" width=\"500\" height=\"311\" \/><\/a><\/p>\n<p><span style=\"font-weight: 400;\">VAddy will run the automated tests and once they\u2019re done, inside the console you can see which tests passed the security check and which did not.<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-5-1024x148-min.png\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-10348\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-5-1024x148-min-1024x148.png\" alt=\"VAddy results\" width=\"1024\" height=\"148\" \/><\/a><\/p>\n<h2><span class=\"ez-toc-section\" id=\"Integrating_VAddy_with_Travis_CI\"><\/span><strong><span style=\"color: #00b674;\">Integrating VAddy with Travis CI<\/span><\/strong><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><span style=\"font-weight: 400;\">To be able to integrate it with Travis-CI, the first step is to generate an API Key, which is done from the VAddy interface from the menu option User -&gt; WebAPI. Then, you must copy the repository of the VAddy API (https:\/\/github.com\/vaddy\/vaddy-api-ruby) to the GitHub associated with Travis and create the following files:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Rakefile<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Gemfile<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">Travis.yml<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">In these files, it will be indicated which gems are necessary to run the API (since it is made in Ruby code) and which .rb file will execute the scan.<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\"><br \/>\n<\/span><span style=\"font-weight: 400;\">After this step, the following environment variables must be created in Travis, accessing the VAddy repository settings from Travis:<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-6-1024x348-min.png\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-10349\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-6-1024x348-min-1024x348.png\" alt=\"VAddy Travis CI\" width=\"1024\" height=\"348\" \/><\/a><\/p>\n<ul>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">VADDY_CRAWL_ID = ID or label of the set of URLs to be scanned, this parameter is optional, if it is not indicated, the last defined Crawl ID will be used.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">VADDY_HOST = URL of the server to be scanned.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">VADDY_TOKEN = APIKey generated previously.<\/span><\/li>\n<li style=\"font-weight: 400;\"><span style=\"font-weight: 400;\">VADDY_USER = VAddy user.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400;\">There you have it! Performing all the steps above should be enough for the correct execution of the scan from Travis CI.<\/span><\/p>\n<p><a href=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-7-1024x459-min.png\"><img decoding=\"async\" class=\"aligncenter size-large wp-image-10350\" src=\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-7-1024x459-min-1024x459.png\" alt=\"VAddy Travis CI integration\" width=\"1024\" height=\"459\" \/><\/a>Have you used VAddy before for security tests in continuous integration?<\/p>\n<hr \/>\n<h2><span class=\"ez-toc-section\" id=\"Recommended_for_You\"><\/span><span style=\"font-weight: 400;\">Recommended for You<\/span><span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p><a href=\"https:\/\/abstracta.us\/blog\/agile-testing\/accessibility-testing-in-continuous-integration\/\">How to Easily Do Accessibility Testing in Continuous Integration<\/a><br \/>\n<a href=\"http:\/\/abstracta.us\/blog\/performance-testing\/3-challenges-to-effective-performance-testing-in-continuous-integration\/\">3 Challenges to Effective Performance Testing in Continuous Integration<\/a><\/p>\n<p><script src=\"\/\/s7.addthis.com\/js\/300\/addthis_widget.js#pubid=ra-58d80a50fc4f926d\" type=\"text\/javascript\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Integrate VAddy with your CI tools for robust security checks, automatically If you have Continuous Integration in place, it\u2019s a great idea to add in some security checks to the pipeline. We all know about the threat that hacks and data breaches pose for every&#8230;<\/p>\n","protected":false},"author":5,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[302],"tags":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v14.0.2 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Security Testing in Continuous Integration with VAddy | Abstracta<\/title>\n<meta name=\"description\" content=\"For security tests in continuous integration, VAddy is a great tool that can integrate with your pipeline. Here&#039;s how to get it set up!\" \/>\n<meta name=\"robots\" content=\"index, follow\" \/>\n<meta name=\"googlebot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta name=\"bingbot\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Security Testing in Continuous Integration with VAddy | Abstracta\" \/>\n<meta property=\"og:description\" content=\"For security tests in continuous integration, VAddy is a great tool that can integrate with your pipeline. Here&#039;s how to get it set up!\" \/>\n<meta property=\"og:url\" content=\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/\" \/>\n<meta property=\"og:site_name\" content=\"Blog about AI-powered quality engineering for teams building complex software | Abstracta\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/AbstractaQA\/\" \/>\n<meta property=\"article:published_time\" content=\"2018-12-04T17:02:34+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-05-05T21:23:33+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/security-min.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"560\" \/>\n\t<meta property=\"og:image:height\" content=\"315\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@fltoledo\" \/>\n<meta name=\"twitter:site\" content=\"@AbstractaUS\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebSite\",\"@id\":\"https:\/\/abstracta.us\/blog\/#website\",\"url\":\"https:\/\/abstracta.us\/blog\/\",\"name\":\"Blog about AI-powered quality engineering for teams building complex software | Abstracta\",\"description\":\"AI-powered quality engineering\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":\"https:\/\/abstracta.us\/blog\/?s={search_term_string}\",\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/#primaryimage\",\"inLanguage\":\"en-US\",\"url\":\"http:\/\/abstracta.us\/wp-content\/uploads\/2018\/12\/vaddy-1-1024x189-min-1024x189.png\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/#webpage\",\"url\":\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/\",\"name\":\"Security Testing in Continuous Integration with VAddy | Abstracta\",\"isPartOf\":{\"@id\":\"https:\/\/abstracta.us\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/#primaryimage\"},\"datePublished\":\"2018-12-04T17:02:34+00:00\",\"dateModified\":\"2025-05-05T21:23:33+00:00\",\"author\":{\"@id\":\"https:\/\/abstracta.us\/blog\/#\/schema\/person\/7421e539de0357d3adb0c69ed469a1c2\"},\"description\":\"For security tests in continuous integration, VAddy is a great tool that can integrate with your pipeline. Here's how to get it set up!\",\"breadcrumb\":{\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/\",\"url\":\"https:\/\/abstracta.us\/blog\/\",\"name\":\"Home\"}},{\"@type\":\"ListItem\",\"position\":2,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/\",\"url\":\"https:\/\/abstracta.us\/blog\/security-testing\/\",\"name\":\"Security Testing\"}},{\"@type\":\"ListItem\",\"position\":3,\"item\":{\"@type\":\"WebPage\",\"@id\":\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/\",\"url\":\"https:\/\/abstracta.us\/blog\/security-testing\/security-testing-continuous-integration-vaddy\/\",\"name\":\"Security Testing in Continuous Integration with VAddy\"}}]},{\"@type\":[\"Person\"],\"@id\":\"https:\/\/abstracta.us\/blog\/#\/schema\/person\/7421e539de0357d3adb0c69ed469a1c2\",\"name\":\"Federico Toledo, Chief Quality Officer at Abstracta\",\"image\":{\"@type\":\"ImageObject\",\"@id\":\"https:\/\/abstracta.us\/blog\/#personlogo\",\"inLanguage\":\"en-US\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6de7ec6536c4028b5c02ad4ec1b9af0d?s=96&d=blank&r=g\",\"caption\":\"Federico Toledo, Chief Quality Officer at Abstracta\"},\"description\":\"Co-founder and COO of Abstracta\",\"sameAs\":[\"https:\/\/twitter.com\/fltoledo\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","_links":{"self":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/10342"}],"collection":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/comments?post=10342"}],"version-history":[{"count":8,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/10342\/revisions"}],"predecessor-version":[{"id":17548,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/posts\/10342\/revisions\/17548"}],"wp:attachment":[{"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/media?parent=10342"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/categories?post=10342"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/abstracta.us\/blog\/wp-json\/wp\/v2\/tags?post=10342"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}