Rapid7 InsightAppSec Jira Integration

https://www.rapid7.com/products/insightappsec/ ) aside from on-prem DAST solution (https://www.rapid7.com/products/appspider/) while both works fine InsightAppsec has some advantages over Appspider Pro. One thing to know is that InsightAppSec uses a bit modified version of Appspider Pro as scanning Engine. InsightAppSec was released on July 2017 and has gone under a lot of improvement. For announcement information you can read https://blog.rapid7.com/2017/07/19/announcing-insightappsec-cloud-powered-application-security-testing/ and for the release notes you can read https://help.rapid7.com/insightappsec/release-notes/ to see what has been developed since then. As usual Rapid7 updates its products every 2 weeks which you can also see on Release Notes. This document we will focus on Jira Integration of InsightAppSec which was release on November 2017 with following blog entry https://blog.rapid7.com/2017/11/28/insightappsec-feature-highlights-on-premise-engines-jira-integration-and-more/ For a brief documentation you can see at official documentation for InsightAppSec Jira Integration https://insightappsec.help.rapid7.com/docs/ticketing-integration but here we will go step-by-step.

  • First thing you require is to have an Atlassian Jira account. If you have already have access to this you may skip but if not go to http://www.atlassian.com and click on following “Try free” button
  • Then click on Jira Cloud version
  • Since we only do it for ticketing purpose we will select Jira Software only without documentation (wiki, Confluence)
  • Fill in the form. Claim your site is important as this will be our URL. Click on “Sign up”
  • In your email box check the email. Verify yourself by clicking “Yes, verift me!” link
  • After clicking Verify me you will see following 2 page to set your experience
  • And here set your experience level for your team etc.
  • Now for template we will simply choose what was suggested. As Jira has changed their classical Dashboards with this recently on July 2018 (https://confluence.atlassian.com/jirasoftwarecloud/introducing-your-new-jira-experience-937886012.html )
  • We will create a project named “InsightAppSec”
  • After that we see our project page with new style. Click on Project Settings  
  • Click on Add Issue type and add And add “Bug” and “Task”
We will be using iasadmin@ikaruslab.com on InsightAppSec UI to integrate with Jira.
  • Next step will be to get a trial from InsightAppSec. URL to have trial is https://www.rapid7.com/try/insightappsec/. Fill in the form and check your inbox
  • If you have no Rapid7 Platform access you are requested to create a password but If you already have Insight Platform account (if you have used other products of Rapid7 before) you will get an email like. Just login to your platform with your email and password
  • After clicking on “Sign in to Rapid7 Insight” and logging on to platform ( URL is https://insight.rapid7.com) you will see following screen which you can start your trial by only clicking “Start trial” on InsightAppSec
Then on same window After your InsightAppSec trial prepared in 10 seconds you will see
  • When your InsightAppSec trial starts you will see following screens. Simply click on “Dismiss”
  • After clicking Dismiss we have 2 options. First is to scan your own domain and other is to scan Rapid7 domain (www.webscantest.com). As right now we will be interested to integrate with integrating with Jira we will use “Scan a Rapid7 domain
  • After selecting “Scan a Rapid7 domain” you will see
And click on “Add New App” on following window
  • After clicking on “Add New App” we will see following screen. Click on “Scan Now” and to “Recommended-Webscantest”
  • To see the progress go to “Scans” tab and Click on “Scan (<<DATE>>)” button
After clicking on “Scan (<<DATE>>)” button you will see following. You can click on “Scan Logs” to see scan activity
  • At Scan Logs we have two log type “Event Log” or “Platform Event Log”. After seeing logs and progress you can close this log window by clicking on Right and Up X button
  • We will wait for Scan to finish so we will have “Vulnerabilities” tab populated.
  • We can add Jira integration while we wait for the scan. Ticketing integration does not require a scan to be finished or started. So click on “Administration” as following screenshot
  • Then to “Add a new JIRA server”
  • On Next screen fill “Connection Name”, “Server” , “Username” and “Password” and click on “Save” button.
  • If you are authenticated successfully on Jira instance you will see following screen. Here we will add “New Configuration”
  • After clicking on “New Configuration” fill in the “Project Information” tab. Here you need to select App and Jira Project and Jira Issue Type. App is the name of our App. Jira Project and Jira Issue Type will be fetched from Jira instance if we have successfully added our Jira Instance.
  • Then Click on “Status Mapping” you need to map Jira Statuses and InsightAppSec ticket statuses
If you require to add new Status on Jira you can read to add statuses https://confluence.atlassian.com/adminjiracloud/configuring-statuses-resolutions-and-priorities-776636333.html and associate it with a Workflow https://confluence.atlassian.com/adminjiracloud/adding-and-deleting-an-issue-workflow-844500765.html
  • On “Priority Mapping” (This is optional)
You can create a “Custom Field” on Jira visiting https://<<yourinstance>>.atlassian.net/secure/admin/ViewCustomFields.jspa like
  • Last section is “Ticketing Template” tab fill it
  • After saving “Ticketing Template” we go back to Config
  • Now it is time to create tickets. Visit the Scans page of any App for which you have set up a Project Configuration already. Click on One Scan which has status “Complete”
  • Click on Vulnerabilities you want to “Export to Jira” or “Select All”
  • Then click on “Export to Jira” button on above picture. Now it is exporting tickets
  • And after successful export you will see
  • Go back to Jira instance and on Dashboard you will see your tickets created:
  • And you can change status of your ticket from “To Do” to “In Progress” and then to “Done”