NOTE: This Repository contains a work in progress preview of the planned next mayor secureCodeBox Release. You can find the current stable release here https://github.com/secureCodeBox/secureCodeBox. The release of version 2.0 is still at least some month away but you can already get a sneak peak here π. The release will contain a mayor re architecture of the secureCodeBox. More details will follow soon in a series of blog articles.
secureCodeBox is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box.
- Overview
- Purpose of this Project
- Quickstart
- How does it work?
- Architecture
- License
- Community
- Contributing
- Author Information
For additional documentation aspects please have a look at our:
The typical way to ensure application security is to hire a security specialist (aka penetration tester) at some point in your project to check the application for security bugs and vulnerabilities. Usually, this check is done at a later stage of the project and has two major drawbacks:
- Nowadays, a lot of projects do continuous delivery, which means the developers deploy new versions multiple times each day. The penetration tester is only able to check a single snapshot, but some further commits could introduce new security issues. To ensure ongoing application security, the penetration tester should also continuously test the application. Unfortunately, such an approach is rarely financially feasible.
- Due to a typically time boxed analysis, the penetration tester has to focus on trivial security issues (low-hanging fruits) and therefore will not address the serious, non-obvious ones.
With the secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.
The purpose of secureCodeBox is not to replace the penetration testers or make them obsolete. We strongly recommend to run extensive tests by experienced penetration testers on all your applications.
Important note: The secureCodeBox is no simple one-button-click-solution! You must have a deep understanding of security and how to configure the scanners. Furthermore, an understanding of the scan results and how to interpret them is also necessary.
There is a german article about Security DevOps β Angreifern (immer) einen Schritt voraus in the software engineering journal OBJEKTSpektrum.
- kubernetes (last 4 mayor releases supported:
1.15,1.16,1.17&1.18)
# Deploy secureCodeBox Operator
kubectl create namespace securecodebox-system
helm -n securecodebox-system install securecodebox-operator ./operator/ --set image.tag=hooks
# Deploy definitions for the integrated scanners
helm install amass ./integrations/amass/
helm install kube-hunter ./integrations/kube-hunter/
helm install nikto ./integrations/nikto
helm install nmap ./integrations/nmap/
helm install ssh-scan ./integrations/ssh_scan/
helm install sslyze ./integrations/sslyze/
helm install trivy ./integrations/trivy/
helm install zap ./integrations/zap/
helm install wpscan ./integrations/wpscan/
# Optional Deploy some Demo Apps for scanning
helm install dummy-ssh ./demo-apps/dummy-ssh/
# Deploy secureCodeBox Hooks
helm install add-attributes ./hooks/add-attributes/
helm install generic-webhook ./hooks/generic-webhook/
helm install imperative-subsequent-scans ./hooks/imperative-subsequent-scans/
## Persistence Provider: Elasticsearch
helm install persistence-elastic ./hooks/persistence-elastic/# Now everything is installed. You can try deploying scans from the `operator/config/samples/` directory
## Local Scan Examples
### E.g. localhost nmap scan
kubectl apply -f operator/config/samples/execution_v1_scan/nmap_localhost.yaml
kubectl apply -f operator/config/samples/execution_v1_scan/kube-hunter_in_cluster.yaml
## Public Scan Examples
# E.g. www.securecodebox.io sslyze scan
kubectl apply -f operator/config/samples/execution_v1_scan/nmap_securecodebox_io.yaml
kubectl apply -f operator/config/samples/execution_v1_scan/amass_securecodebox_io.yaml
kubectl apply -f operator/config/samples/execution_v1_scan/sslyze_securecodebox_io.yaml
kubectl apply -f operator/config/samples/execution_v1_scan/nikto_securecodebox_io.yaml
kubectl apply -f operator/config/samples/execution_v1_scan/ssh_iteratec_de.yaml
kubectl apply -f operator/config/samples/execution_v1_scan/wpscan_nurdemteam_org.yaml
kubectl apply -f operator/config/samples/execution_v1_scan/sslyze_securecodebox_io.yaml
kubectl apply -f operator/config/samples/execution_v1_scan/trivy_mediawiki.yaml
kubectl apply -f operator/config/samples/execution_v1_scan/trivy_juiceshop.yaml
# Then get the current State of the Scan by running:
kubectl get scans- Minio UI
- AccessKey:
kubectl get secret securecodebox-operator-minio -n securecodebox-system -o=jsonpath='{.data.accesskey}' | base64 --decode; echo - SecretKey:
kubectl get secret securecodebox-operator-minio -n securecodebox-system -o=jsonpath='{.data.secretkey}' | base64 --decode; echo - Port Forward Minio UI:
kubectl port-forward -n securecodebox-system service/securecodebox-operator-minio 9000:9000
- AccessKey:
- Elastic / Kibana UI
- User:
elastic - Password:
kubectl get secret scb-elasticsearch-es-elastic-user -n scb-analytics -o=jsonpath='{.data.elastic}' | base64 --decode; echo - Port Forward Kibana:
kubectl port-forward -n default service/persistence-elastic-kibana 5601:5601 - Port Forward Elasticsearch:
kubectl port-forward -n default service/elasticsearch-master 9200:9200
Code of secureCodeBox is licensed under the Apache License 2.0.
You are welcome, please join us on... π
secureCodeBox is an official OWASP project.
Contributions are welcome and extremely helpful π
Sponsored by iteratec GmbH - secureCodeBox.io