OWASP iGNITA
OWASP iGNITA
To overcome the above mentioned problems, It is a fine game plan to build an own standalone analyser to detect vulnerabilities where the OWASP iGNITA Scanner will be independent from tools such as OWASP SonarQube, which will make the Framework more light and easy to set up, and users won’t be restricted to the API provided by the sonarqube or other scanners of such. Also creating a plugin for IDE’s which will be a faster way to detect vulnerabilities. And dockerize the Framework so the set up time will be minimal and less hectic. This plugin will also be proposed to be integrated into DevSecOps toolchain; github/jenkins/owasp appsec pipelines. Additionally a developer guide will be written with guidelines, templates and other titles for future collaborators.
Requirement which satisfy the Important Selection Criteria
Vulnerabilities it can detect (out of the OWASP Top Ten?) - Focused on top Ten Can it be integrated into the developer’s IDE? - Plugin is proposed to be developed How hard is it to set up/use? - Dockerizing for easy setup Can it be run continuously and automatically? - Will be tested and added to pipeline in github
Features of the Analyzer
- The analyzer will initially focus on JAVA language
- Analyzer will be built to detect owasp top 10 vulnerabilities such as,
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XEE
- Broken Access Control
- Security Misconfig
- Cross site Scripting
- Insecure deserialization
Project Information
- Incubator Project
Audience
- Builder
- Breaker
- Defender
OWASP-iGNITA
Static application security testing environment with SAST scanner and plugins
Code Repository
Security Policy
Supported Versions
Use this section to tell people about which versions of your project are currently being supported with security updates.
Version | Supported |
---|---|
5.1.x | |
5.0.x | |
4.0.x | |
< 4.0 |
Reporting a Vulnerability
Use this section to tell people how to report a vulnerability.
Tell them where to go, how often they can expect to get an update on a reported vulnerability, what to expect if the vulnerability is accepted or declined, etc.
Project Overview
Building a Standalone Scanner and staging the results to detect OWASP TOP 10 Vulnerabilities and building plugins for IDE’s and Continuous Integration
Project Proposal
As the increase of software development, billions of lines of code is being produced but the quality of the code is menacing thereby the vulnerability of applications are threatening, even though there are many tools to monitor applications for vulnerabilities it’s always too late. One of the solutions to this is to analyse and fix these vulnerable code while development, but there are only few tools available for scanning the code vulnerabilities. OWASP iGNITA is a fine example for such a tool, but because of many third party dependencies, setting up the framework for testing is time consuming and a bit disorderd.
Proposed Strategy
To overcome the above mentioned problems, It is a fine game plan to build an own standalone analyser to detect vulnerabilities where the OWASP iGNITA Scanner will be independent from tools such as OWASP SonarQube, which will make the Framework more light and easy to set up, and users won’t be restricted to the API provided by the sonarqube or other scanners of such. Also creating a plugin for IDE’s which will be a faster way to detect vulnerabilities. And dockerize the Framework so the set up time will be minimal and less hectic. This plugin will also be proposed to be integrated into DevSecOps toolchain; github/jenkins/owasp appsec pipelines. Additionally a developer guide will be written with guidelines, templates and other titles for future collaborators.
Requirement which satisfy the Important Selection Criteria,
- Vulnerabilities it can detect (out of the OWASP Top Ten?) - Focused on top Ten
- Can it be integrated into the developer’s IDE? - Plugin is proposed to be developed
- How hard is it to set up/use? - Dockerizing for easy setup
- Can it be run continuously and automatically? - Will be tested and added to pipeline in github
High level architecture diagram
Features of the Analyzer
- The analyzer will initially focus on JAVA language
- Analyzer will be built to detect owasp top 10 vulnerabilities such as,
- Injection
- Broken Authentication
- Sensitive Data Exposure
- XEE
- Broken Access Control
- Security Misconfig
- Cross site Scripting
- Insecure deserialization
Timeline
Milestone | Tasks | Reporting | Week | Date | Status |
---|---|---|---|---|---|
1 - Analysis | |||||
1.1 | Analysis on other scanners which are currently support OWASP TOP 10 | None | 1 | 15/05/20 | COMPLETED |
1.2 | Analysis on the software architecture of similar scanners | Review architecture with mentor | 1 | 20/05/20 | COMPLETED |
1.3 | Analysis on plugins | Review development strategy with mentor | 2 | 25/05/20 | COMPLETED |
1.4 | Plan the detectors which will be built in GSOC period | Discuss with mentor | 2 | 30/05/20 | COMPLETED |
2 - Development | |||||
2.1 | Setting up environment | None | 3 | 01/06/20 | COMPLETED |
2.2 | Creating vulnerable samples | None | 5 | 15/06/20 | COMPLETED |
2.3 | Writing test classes | Mentor Review | 5 | 23/06/20 | COMPLETED |
2.4 | Configuring the detectors | None | 7 | 05/07/20 | COMPLETED |
2.5 | Creating Detector classes | Mentor Review | 8 | 10/07/20 | COMPLETED |
2.6 | Integrating into the Dashboard | None | 9 | 20/07/20 | COMPLETED |
2.7 | Modifying the scanner for the plugin structure | Mentor Review | 10 | 25/07/20 | COMPLETED |
2.8 | Modifying for scanner to be added to multiple pipelines | Mentor Review | 10 | 30/07/20 | COMPLETED |
3 - Testing | |||||
3.1 | Writing test cases | Mentor Review | 11 | 02/08/20 | COMPLETED |
3.2 | Testing detectors with sample code | Mentor Review | 12 | 09/08/20 | COMPLETED |
3.3 | Testing detectors for each developed vulnerability in know test set | None | 13 | 11/08/20 | COMPLETED |
3.4 | Testing with integrated dashboard | Mentor Review | 13 | 14/08/20 | COMPLETED |
3.5 | Testing the plugin | None | 14 | 16/08/20 | COMPLETED |
4 - Deployment | |||||
4.1 | Dockerizing the application with integrated scanner | Mentor Test | 14 | 18/08/20 | IN-PROGRESS |
4.2 | Deploying Docker Image | None | 14 | 19/08/20 | IN-PROGRESS |
5 - Documentation | |||||
5.1 | Documenting the Analyzer | Mentor Review | 14 | 21/08/20 | NOT STARTED |
5.2 | Documenting the Plugin | Mentor Review | 14 | 22/08/20 | NOT STARTED |
5.3 | Writing the Developer Guide | Mentor Review | 14 | 23/08/20 | NOT STARTED |
Project Team & Organization
- Azzeddine Ramrami: Project Leader
- Azhar Aahmad: Project Leader and back-end developper
User Guide
Installation
Pre-requisites
Software
- NodeJS (required)
- Angular (required)
- SonarQube (required)
- Sonar-scanner (required)
- Mongodb (required)
- Git (required)
Installing pre-requisites
NodeJS:
https://nodejs.org/en/download/
Angular:
https://angular.io/
SonarQube:
https://www.sonarqube.org/downloads/
Sonar-Scanner:
https://docs.sonarqube.org/latest/analysis/scan/sonarscanner/
Mongodb:
https://www.mongodb.com/download-center/community
Procedure for installing
Step 1 :
Get the resource file from github
Clone the project :
$ git clone https://github.com/azharanees/OWASP-iGNITA.git
Or
Download the project from: https://owasp.org/www-project-ignita/
Step 2:
Start the mongodb server and make sure it’s running on port : 28017
Step 3:
Start the sonarqube server on port : 9000
Step 4:
Make sure sonar-scanner
is installed and add included in the environment variables
Step 5:
Make sure sonar-scanner
is installed and included in the environment variables
Step 6:
Goto the cloned repository folder and change directory to “api” cd api
when you are inside the directory run : npm install
which will install the required dependencies
Step 6:
After successfully executing npm install
start the node server using npm start
.
Step 7:
Change the directory to the gui folder from the root directory. cd gui
from the root directory
Step 8:
when you are inside the gui directory use npm install
to install all the relevant dependencies.
Step 9:
After completing the installation use ng serve
or npm start
to run the Angular App.
Step 10:
After the angular app successfully compiled open your browser and goto your localhost:4200
Step 11:
Use the below credentials to login to the dashboard
username : admin
password : test1234
Guide to use the dashboard
Example
Put whatever you like here: news, screenshots, features, supporters, or remove this file and don’t use tabs at all.