The OWASP secureCodeBox Project is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. With the secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.
The purpose of secureCodeBox is not to replace the penetration testers or make them obsolete. We strongly recommend to run extensive tests by experienced penetration testers on all your applications. For more informations about this project please have look at our GitHub Repo secureCodeBox V1 or our new Major Release GitHub Repo secureCodeBox V2
Our main goal is to implement a major security testing platform and framework which enables developers and teams to integrate a bunch of security testing tools in their CI/CD environment or kubernetes environment as easy as possible. The flexibility and scalability of the platform architecture leads to features like multi tenancy support, large scale (multi-) project testing, support of distributed and private networks, customisable security test flows,… which enables projects to test complex environments without implementing the complete security testing infrastructure on their own.
Secondly we try to foster a broad range of security tools to be easily integrated. Also we will try to integrate existing OWASP Projects as building blocks in our platform.
New Major Release V2
Currently we are working heavily on a new major release with an complete new architecture of the secureCodeBox Project which is based on kubernetes. The major release of SCB version 2.0 will be available in the next weeks. The release will contain a major architecture change which will not be backward compatible. More details will follow soon in a series of blog articles.
The new architecture is based on Kubernetes CRDs and follows an function as a service (FaaS) principle. Therefore we impleted an Kubernetes operator which schedules scan jobs as kubernetes jobs. This architecture leeds to a much more ressource efficiency. Instead of long running microservice (SCB v1 Architecture) scans only consume cluster ressource for a short amount of time.
As of August, 2020, the highest priorities for the next 6 months are:
- Finalize the Major Release V2 and switch the complete project to a kubernetes based FaaS architecture
- Finalize the integration with the OWASP DefectDojo Project, as a building block for security finding analytics
- Implement a permanend UI to visualize the security scan findings as an alternative to DefectDojo and Kibana (ELK Stack)
- Finalize an kubernetes based autodiscovery for all ressource currently running in an kubernetes cluster
Quickstart secureCodebox V2
Deployment (based on Helm)
Deploy the secureCodeBox operator first:
helm repo add securecodebox https://charts.securecodebox.io kubectl create namespace securecodebox-system helm -n securecodebox-system upgrade --install securecodebox-operator securecodebox/operator --devel
Optionally deploy SCB scanner charts for each security scanner you want to use. They should not be installed into the
securecodebox-system like the operator so that different teams can use different kinds of scanners.
To get more informations about each scanner and hook please have a look at our Website or the corresponding GitHub Repo secureCodeBox V2.
helm upgrade --install amass securecodebox/amass --devel helm upgrade --install kube-hunter securecodebox/kube-hunter --devel helm upgrade --install nikto securecodebox/nikto --devel helm upgrade --install nmap securecodebox/nmap --devel helm upgrade --install ssh-scan securecodebox/ssh-scan --devel helm upgrade --install sslyze securecodebox/sslyze --devel helm upgrade --install trivy securecodebox/trivy --devel helm upgrade --install zap securecodebox/zap --devel helm upgrade --install wpscan securecodebox/wpscan --devel
Optional deploy some demo apps for scanning:
helm upgrade --install dummy-ssh securecodebox/dummy-ssh --devel helm upgrade --install bodgeit securecodebox/bodgeit --devel helm upgrade --install juice-shop securecodebox/juice-shop --devel helm upgrade --install old-wordpress securecodebox/old-wordpress --devel helm upgrade --install swagger-petstore securecodebox/swagger-petstore --devel
Deploy secureCodeBox Hooks:
helm upgrade --install ufh securecodebox/update-field-hook --devel helm upgrade --install gwh securecodebox/generic-webhook --devel helm upgrade --install dssh securecodebox/declarative-subsequent-scans --devel
Persistence provider Elasticsearch:
helm upgrade --install elkh securecodebox/persistence-elastic --devel
You are welcome, please join us on… 👋
This Project is free software: you can redistribute it and/or modify it under the terms of the Apache License 2.0. OWASP secureCodeBox Project and any contributions are Copyright © by iteratec GmbH 2015-2020.