The OWASP secureCodeBox Project is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. With secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.
The purpose of secureCodeBox is not to replace the penetration testers or make them obsolete. We strongly recommend to run extensive tests by experienced penetration testers on all your applications. For more information about this project, please have look at our GitHub Repo secureCodeBox or online documentation.
Our main goal is to implement a major security testing platform and framework which enables developers and teams to integrate a bunch of security testing tools in their CI/CD environment or kubernetes environment as easy as possible. The flexibility and scalability of the platform architecture leads to features like multi tenancy support, large scale (multi-) project testing, support of distributed and private networks, customisable security test flows, which enables projects to test complex environments without implementing the complete security testing infrastructure on their own.
Secondly we try to foster a broad range of security tools to be easily integrated. Also we will try to integrate existing OWASP Projects as building blocks in our platform.
The secureCodeBox architecture is based on Kubernetes Custom Ressource Definitions (CRDs) and follows a function as a service (FaaS) principle. Therefore we implemented a Kubernetes operator which schedules security scans as kubernetes jobs. This architecture is much more resource efficient. Instead of long running microservices (SCB v1 Architecture), scans only consume cluster resources for a short amount of time.
As of Feb, 2021, the highest priorities for the next 12 months are:
- Finalize a new kubernetes autodiscovery service which is capable of generating new secureCodeBox Scans based on existing or newly spawned kubernetes ressources.
- Finalize the deep integration with the OWASP DefectDojo Project, as a building block for security finding analytics
- Implement a secureCodeBox UI to visualize the security scan findings as an alternative to OWASP DefectDojo and Kibana (ELK Stack)
- Integrate new Cloud specific security scanners for AWS, GCP, Azure, DigitalOcean
Deployment (based on Helm)
Deploy the secureCodeBox operator first:
# Add the secureCodeBox Helm Repo helm repo add secureCodeBox https://charts.securecodebox.io # Create a new namespace for the secureCodeBox Operator kubectl create namespace securecodebox-system # Install the Operator & CRD's helm --namespace securecodebox-system upgrade --install securecodebox-operator secureCodeBox/operator
Optionally deploy SCB scanner charts for each security scanner you want to use. They should not be installed into the
securecodebox-system like the operator so that different teams can use different kinds of scanners.
To get more informations about each scanner and hook please have a look at our Documentation Website or the corresponding GitHub Repo secureCodeBox.
# The following chart will be installed in the `default` namespace by you can choose the namespace of your choice by # adding `--namespace YOURNAMESPACE` to each line helm upgrade --install amass secureCodeBox/amass helm upgrade --install gitleaks secureCodeBox/gitleaks helm upgrade --install kube-hunter secureCodeBox/kube-hunter helm upgrade --install nikto secureCodeBox/nikto helm upgrade --install nmap secureCodeBox/nmap helm upgrade --install ssh-scan secureCodeBox/ssh_scan helm upgrade --install sslyze secureCodeBox/sslyze helm upgrade --install trivy secureCodeBox/trivy helm upgrade --install wpscan secureCodeBox/wpscan helm upgrade --install zap secureCodeBox/zap
Optional deploy some demo apps for scanning:
helm upgrade --install dummy-ssh securecodebox/dummy-ssh helm upgrade --install bodgeit securecodebox/bodgeit helm upgrade --install juice-shop securecodebox/juice-shop helm upgrade --install old-wordpress securecodebox/old-wordpress helm upgrade --install swagger-petstore securecodebox/swagger-petstore
Deploy secureCodeBox Hooks:
helm upgrade --install ufh securecodebox/update-field-hook helm upgrade --install gwh securecodebox/generic-webhook helm upgrade --install dssh secureCodeBox/declarative-subsequent-scans
Persistence provider Elasticsearch:
helm upgrade --install elkh securecodebox/persistence-elastic helm upgrade --install dd secureCodeBox/persistence-defectdojo \ --set="defectdojo.url=https://defectdojo-django.default.svc"
You are welcome, please join us on… 👋
This Project is free software: you can redistribute it and/or modify it under the terms of the Apache License 2.0. OWASP secureCodeBox Project and any contributions are Copyright © by iteratec GmbH 2015-2021.