OWASP secureCodeBox

logo

License Apache-2.0 GitHub release (latest SemVer) OWASP Incubator Project Twitter Follower

Build Maintainability Test Coverage Known Vulnerabilities

The OWASP secureCodeBox Project is a kubernetes based, modularized toolchain for continuous security scans of your software project. Its goal is to orchestrate and easily automate a bunch of security-testing tools out of the box. With secureCodeBox we provide a toolchain for continuous scanning of applications to find the low-hanging fruit issues early in the development process and free the resources of the penetration tester to concentrate on the major security issues.

laptop with dashboard

Description

The purpose of secureCodeBox is not to replace the penetration testers or make them obsolete. We strongly recommend to run extensive tests by experienced penetration testers on all your applications. For more information about this project, please have look at our GitHub Repo secureCodeBox or online documentation.

Our main goal is to implement a major security testing platform and framework which enables developers and teams to integrate a bunch of security testing tools in their CI/CD environment or kubernetes environment as easy as possible. The flexibility and scalability of the platform architecture leads to features like multi tenancy support, large scale (multi-) project testing, support of distributed and private networks, customisable security test flows, which enables projects to test complex environments without implementing the complete security testing infrastructure on their own.

Secondly we try to foster a broad range of security tools to be easily integrated. Also we will try to integrate existing OWASP Projects as building blocks in our platform.

Architecture

SCBv2 Architecture Overview

The secureCodeBox architecture is based on Kubernetes Custom Ressource Definitions (CRDs) and follows a function as a service (FaaS) principle. Therefore we implemented a Kubernetes operator which schedules security scans as kubernetes jobs. This architecture is much more resource efficient. Instead of long running microservices (SCB v1 Architecture), scans only consume cluster resources for a short amount of time.

Roadmap

As of Feb, 2021, the highest priorities for the next 12 months are:

  • Finalize a new kubernetes autodiscovery service which is capable of generating new secureCodeBox Scans based on existing or newly spawned kubernetes ressources.
  • Finalize the deep integration with the OWASP DefectDojo Project, as a building block for security finding analytics
  • Implement a secureCodeBox UI to visualize the security scan findings as an alternative to OWASP DefectDojo and Kibana (ELK Stack)
  • Integrate new Cloud specific security scanners for AWS, GCP, Azure, DigitalOcean

Quickstart secureCodebox

Deployment (based on Helm)

Deploy the secureCodeBox operator first:

# Add the secureCodeBox Helm Repo
helm repo add secureCodeBox https://charts.securecodebox.io

# Create a new namespace for the secureCodeBox Operator
kubectl create namespace securecodebox-system

# Install the Operator & CRD's
helm --namespace securecodebox-system upgrade --install securecodebox-operator secureCodeBox/operator

Optionally deploy SCB scanner charts for each security scanner you want to use. They should not be installed into the securecodebox-system like the operator so that different teams can use different kinds of scanners. To get more informations about each scanner and hook please have a look at our Documentation Website or the corresponding GitHub Repo secureCodeBox.

# The following chart will be installed in the `default` namespace by you can choose the namespace of your choice by
# adding `--namespace YOURNAMESPACE` to each line
helm upgrade --install amass secureCodeBox/amass
helm upgrade --install gitleaks secureCodeBox/gitleaks
helm upgrade --install kube-hunter secureCodeBox/kube-hunter
helm upgrade --install nikto secureCodeBox/nikto
helm upgrade --install nmap secureCodeBox/nmap
helm upgrade --install ssh-scan secureCodeBox/ssh_scan
helm upgrade --install sslyze secureCodeBox/sslyze
helm upgrade --install trivy secureCodeBox/trivy
helm upgrade --install wpscan secureCodeBox/wpscan
helm upgrade --install zap secureCodeBox/zap

Optional deploy some demo apps for scanning:

helm upgrade --install dummy-ssh securecodebox/dummy-ssh
helm upgrade --install bodgeit securecodebox/bodgeit
helm upgrade --install juice-shop securecodebox/juice-shop
helm upgrade --install old-wordpress securecodebox/old-wordpress
helm upgrade --install swagger-petstore securecodebox/swagger-petstore

Deploy secureCodeBox Hooks:

helm upgrade --install ufh securecodebox/update-field-hook
helm upgrade --install gwh securecodebox/generic-webhook
helm upgrade --install dssh secureCodeBox/declarative-subsequent-scans

Persistence provider Elasticsearch:

helm upgrade --install elkh securecodebox/persistence-elastic
helm upgrade --install dd secureCodeBox/persistence-defectdojo \
    --set="defectdojo.url=https://defectdojo-django.default.svc"

Community

You are welcome, please join us on… 👋

Contributors

GitHub contributors

Licensing

This Project is free software: you can redistribute it and/or modify it under the terms of the Apache License 2.0. OWASP secureCodeBox Project and any contributions are Copyright © by iteratec GmbH 2015-2021.