We are happy to announce that Cohesion was completely revamped with new tools and features. The main changes relate to upgrading the testing capabilities and coverage, and introducing proxy support which paves the way to more interesting use-cases.
The Cohesion Proxy is the most exciting new feature in this release because it just makes the tool so much better. How? Well, think about all the unit and integration tests developers write to ensure software is running as it should. Why not leverage this wealth of testing and do some security testing on top of it? This is exactly what the Cohesion proxy is used for.
During the integration test you can start the proxy tool. All integration, qa and unit tests are redirected to use the proxy. Once a test-case is captured, Cohesion picks it up and performs a full suite of security test on top of it. This action repeats for every test but omitting similar test-cases that has been already checked for.
From Maven perspective this process looks relatively straightforward as illustrated by the following pom file:
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 http://maven.apache.org/maven-v4_0_0.xsd"> <modelVersion>4.0.0</modelVersion> <groupId>GROUPID</groupId> <artifactId>ARTIFACTID</artifactId> <version>1.0.0-SNAPSHOT</version> <name>NAME</name> <build> <plugins> <plugin> <groupId>com.websecurify</groupId> <artifactId>cohesion</artifactId> <version>1.7.0-SNAPSHOT</version> <executions> <execution> <id>start-proxy</id> <phase>pre-integration-test</phase> <goals><goal>proxy-start</goal></goals> <configuration> <output>${project.build.directory}/security</output> </configuration> </execution> </executions> <executions> <execution> <id>stop-proxy</id> <phase>post-integration-test</phase> <goals><goal>proxy-stop</goal></goals> </execution> </executions> </plugin> </plugins> </build> </project>
The pom file simply defines that the Cohesion proxy needs to be started before the integration tests and stopped once the integration tests complete. The security tests are performed in-between these phases. If a critical vulnerability is encountered, the current phase is immediately failed and the developer is given the opportunity to investigate and fix the error.
If this doesn't fit your workflow, the Cohesion plugin can be easily customised to work in other scenarios as well. You do not have to run it all the time or even run it from the main project file. You can easily run it just once a day or during particular phases that fit your business and delivery process. If Maven or Anthill are not an option you can resort back to command line. The possibilities are endless.
We believe that with this change Cohesion is now the most powerful, simple and fast way to integrate security into your CI/CD pipelines.