Skip to content
This repository has been archived by the owner on Oct 14, 2020. It is now read-only.

This Repository contains the stable beta preview of the next major secureCodeBox (SCB) release v2.0.0.

License

Notifications You must be signed in to change notification settings

secureCodeBox/secureCodeBox-v2

Repository files navigation

This Repo has been archived. The code for the secureCodeBox v2 is now located in the primary https://github.com/secureCodeBox/secureCodeBox repository πŸŽ‰.

secureCodeBox – v2 Beta

secureCodeBox Logo secureCodeBox Logo

License Apache-2.0 Preview GitHub Release OWASP Incubator Project Twitter Follower

Build Maintainability Test Coverage Known Vulnerabilities

NOTE: This Repository contains the stable beta preview of the next major secureCodeBox (SCB) Release v2.
You can find the current stable release here https://github.com/secureCodeBox/secureCodeBox.

The major release of SCB version 2.0 will be available in the next weeks. The release will contain a major architecture change which will not be backward compatible. More details will follow soon in a series of blog articles.

secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box.

Overview

For additional documentation aspects please have a look at our:

Purpose of this Project

The typical way to ensure application security is to hire a security specialist (aka penetration tester) at some point in your project to check the application for security bugs and vulnerabilities. Usually, this check is done at a later stage of the project and has two major drawbacks:

  1. Nowadays, a lot of projects do continuous delivery, which means the developers deploy new versions multiple times each day. The penetration tester is only able to check a single snapshot, but some further commits could introduce new security issues. To ensure ongoing application security, the penetration tester should also continuously test the application. Unfortunately, such an approach is rarely financially feasible.
  2. Due to a typically time boxed analysis, the penetration tester has to focus on trivial security issues (low-hanging fruit) and therefore will probably not address the serious, non-obvious ones.

With the secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.

secureCodeBox Architecture

The purpose of secureCodeBox is not to replace the penetration testers or make them obsolete. We strongly recommend to run extensive tests by experienced penetration testers on all your applications.

Important note: The secureCodeBox is no simple one-button-click-solution! You must have a deep understanding of security and how to configure the scanners. Furthermore, an understanding of the scan results and how to interpret them is also necessary.

There is a German article about Security DevOps – Angreifern (immer) einen Schritt voraus in the software engineering journal OBJEKTSpektrum.

Quickstart

Prerequisites

  • kubernetes (last 4 major releases supported: 1.16, 1.17, 1.18 & 1.19)

Deployment (based on Helm)

The install instructions require you to have the repository cloned and to have your terminal located in the folder of repository. There are shorthand scripts to un-/install everything in the bin directory.

Deploy the secureCodeBox operator first:

kubectl create namespace securecodebox-system
helm -n securecodebox-system upgrade --install securecodebox-operator ./operator/

Optionally deploy SCB scanner charts for each security scanner you want to use. They should not be installed into the securecodebox-system like the operator so that different teams can use different kinds of scanners.

helm upgrade --install amass ./scanners/amass/
helm upgrade --install kube-hunter ./scanners/kube-hunter/
helm upgrade --install nikto ./scanners/nikto
helm upgrade --install nmap ./scanners/nmap/
helm upgrade --install ssh-scan ./scanners/ssh_scan/
helm upgrade --install sslyze ./scanners/sslyze/
helm upgrade --install trivy ./scanners/trivy/
helm upgrade --install zap ./scanners/zap/
helm upgrade --install wpscan ./scanners/wpscan/

Optional deploy some demo apps for scanning:

helm upgrade --install dummy-ssh ./demo-apps/dummy-ssh/
helm upgrade --install bodgeit ./demo-apps/bodgeit/
helm upgrade --install juice-shop ./demo-apps/juice-shop/
helm upgrade --install old-wordpress ./demo-apps/old-wordpress/
helm upgrade --install swagger-petstore ./demo-apps/swagger-petstore/

Deploy secureCodeBox Hooks:

helm upgrade --install ufh ./hooks/update-field/
helm upgrade --install gwh ./hooks/generic-webhook/
helm upgrade --install dssh ./hooks/declarative-subsequent-scans/

Persistence provider Elasticsearch:

helm upgrade --install elkh ./hooks/persistence-elastic/

Examples

Now everything is installed. You can try deploying scans from the scanners/*/examples directories.

Local Scan Examples

E.g. localhost nmap scan:

kubectl apply -f scanners/nmap/examples/localhost/scan.yaml

Public Scan Examples

kubectl apply -f scanners/nmap/examples/scan.nmap.org/scan.yaml

Then get the current State of the Scan by running:

kubectl get scans

To delete a scan, use kubectl delete, e.g. for localhost nmap scan:

kubectl delete -f scanners/nmap/examples/localhost/scan.yaml

Access Services

  • Minio UI:
    • Port Forward Minio UI: kubectl port-forward -n securecodebox-system service/securecodebox-operator-minio 9000:9000
    • AccessKey: kubectl get secret securecodebox-operator-minio -n securecodebox-system -o=jsonpath='{.data.accesskey}' | base64 --decode; echo
    • SecretKey: kubectl get secret securecodebox-operator-minio -n securecodebox-system -o=jsonpath='{.data.secretkey}' | base64 --decode; echo
  • Elastic / Kibana UI:
    • Port Forward Kibana: kubectl port-forward -n default service/elkh-kibana 5601:5601
    • Port Forward Elasticsearch: kubectl port-forward -n default service/elasticsearch-master 9200:9200

How does it work?

Architecture

secureCodeBox Architecture

License

Code of secureCodeBox is licensed under the Apache License 2.0.

Community

You are welcome, please join us on... πŸ‘‹

secureCodeBox is an official OWASP project.

Contributing

Contributions are welcome and extremely helpful πŸ™Œ

Author Information

Sponsored by iteratec GmbH - secureCodeBox.io