Edit

Share via

Bright Security technical onboarding guide

  • Article

Bright provides a developer-centric enterprise Dynamic Application Security Testing (DAST) solution. It scans applications and APIs from the outside-in, mimicking how a hacker would approach the application, and automatically tests for vulnerabilities that bad actors could use to exploit.

Unlike legacy DAST tools designed exclusively for expert security users after the application is already in production, Bright’s tool was built to be "developer-first." It was designed to empower developers to create more secure applications and APIs starting in early development phases and across all stages leading up to and including production so that vulnerabilities are caught and remediated as early as possible. Scans can start as early as the Unit Testing phase in the software development lifecycle and progress from there to find as many vulnerabilities as possible early in the development lifecycle. Remediating vulnerabilities early saves significant developer time and reduces risk.

The solution is both developer and AppSec friendly and has unique capabilities including quick setup, minimal false positives, developer focused remediation suggestions, the ability to run the solution from a UI, or CLI, and seamless integration with the developer toolchain.

Security testing approach

Bright API security validation is based on three main phases:

  1. Map the API attack surface. Bright can parse and learn the exact valid structure of REST and GraphQL APIs, from an OAS file (swagger) or an Introspection (GraphQL schema description). In addition, Bright can learn API content from HAR files. These methods provide a comprehensive way to visualize the attack surface.
  2. Conduct an attack simulation on the discovered APIs. Once the baseline of the API behavior is known (in step 1), Bright manipulates the requests (payloads, endpoint parameters, and so on) and automatically analyzes the response, verifying the correct response code and the content of the response payload to ensure no vulnerability exists. The attack simulations include OWASP API top 10, NIST, business logic tests, and more.
  3. Bright provides a clear indication of any found vulnerability, including screenshots to ease the triage and investigation of the issue and suggestions on how to remediate that vulnerability.

Enablement

Bright’s solutions can be purchased via the Azure Marketplace by following this link.

Connect your DevOps environments to Microsoft Defender for Cloud

This feature requires connecting your DevOps environment to Defender for Cloud.

See how to onboard your GitHub organizations.

See how to onboard your Azure DevOps organizations.

Configure Bright Security API security testing scan

For GitHub environments

Note

For additional details on how to configure Bright Security for GitHub Actions along with links to sample GitHub Action workflows, see GitHub Actions. This workflow assumes you have GitHub Code Scanning enabled. If enabled, ensure the upload-to-code-scanning option is set to true. In case you do not have GitHub Code Scanning enabled, follow the additional steps below in the section Enabling Defender for Cloud integration without GitHub Code Scanning.

Install the Bright Security plugin within your CI/CD pipeline by completing the following step:

  1. Sign in to GitHub.
  2. Select a repository you want to configure the GitHub action to.
  3. Select Actions.
  4. Select New Workflow.
  5. Filter by searching for NeuraLegion in the search box.
  6. Select Configure for the NeuraLegion workflow.
  7. If the APIs to be tested are in an internal environment that requires authentication, create an authentication object following the instructions in Creating authentication.
  8. Define a discovery of the APIs to be tested following the instructions in Discovery.
  9. Run the attack simulation by following the instructions in Creating a modern scan.
  10. Select Commit changes. You can either directly commit to the main branch or create a pull request. We recommend following GitHub best practices by creating a PR, as the default workflow launches when a PR is opened against the main branch.
  11. Select Actions and verify the new action is running.
  12. After the workflow completes, select Security, then select Code scanning to view the results.
  13. Select a Code Scanning alert detected by Neuralegion. You can also filter by tool in the Code scanning tab. Filter on Neuralegion.

You now verified that the Bright Security (Neuralegion GitHub workflow) security scan results are showing in GitHub Code Scanning. Next, verify that these scan results are available within Defender for Cloud. It might take up to 30 minutes for results to show in Defender for Cloud.

Enabling Defender for Cloud integration without GitHub Code Scanning

If you do not have GitHub Code Scanning for your environment and wish to integrate security scan results from Bright Security into Defender for Cloud, you can follow these steps. After adding in the Bright Security workflow step, add the following steps to your GitHub workflow to send scan results directly to Defender for Cloud using the Microsoft Security DevOps GitHub Action.

      - name: Download SARIF file
        id: sarif
        env:
          api_token: ${{ secrets.BRIGHT_TOKEN }}
          scanId: ${{ steps.start.outputs.id }}
        run: |
          curl -X GET "https://app.brightsec.com/api/v1/scans/$scanId/reports/sarif" -H "Authorization: Api-Key $api_token" -o bright.sarif.gz
          gzip -d bright.sarif.gz
      - name: Upload SARIF file
        uses: actions/upload-artifact@v4
        with: 
          name: BrightSecurity_Report_${{ github.run_id }}
          path: bright.sarif
      - name: Upload results to MSDO
        uses: microsoft/security-devops-action@v1
        id: msdo
        with:
          existingFilename: bright.sarif

Next, add an additional permission to the workflow, setting id-token to write.

After running the workflow, it might take up to 30 minutes for the results to show in Defender for Cloud.

  1. Select Recommendations.
  2. Filter by searching for API security testing.
  3. Select the recommendation GitHub repositories should have API security testing findings resolved.

Screenshot of GitHub repositories should have API security testing findings resolved recommendation.

For Azure DevOps environments

Note

For additional details on how to configure Bright Security forAzure DevOps along with links to sample Azure DevOps workflows, see Azure Pipelines.

  1. Install the NexPloit DevOps Integration on your Azure DevOps organization.

  2. Create a new Pipeline within your Azure DevOps project. For a tutorial for creating your first pipeline, see Create your first pipeline.

  3. Edit the created pipeline. Follow the steps outlined in Azure DevOps Integration.

  4. Run the pipeline.

  5. To verify the results are being published correctly in Azure DevOps, validate that NeuraLegion_ScanReport.SARIF is being uploaded to the Build Artifacts under the CodeAnalysisLogs folder.

    Screenshot of NeuraLegion_ScanReport.SARIF uploaded to Build Artifacts.

  6. You completed the onboarding process. Next verify the results show in Defender for Cloud.

Navigate to Defender for Cloud:

  1. Select Recommendations.
  2. Filter by searching for API security testing.
  3. Select the recommendation Azure DevOps repositories should have API security testing findings resolved.

Screenshot of Azure DevOps repositories should have API security testing findings resolved recommendation.

Related content

Microsoft Defender for APIs overview