Skip to main content

secureCodeBox as a Service

ยท 3 min read
Sven Strittmatter
Sven Strittmatter
Core Developer

Have you ever wanted to try out secureCodeBox but don't have a Kubernetes cluster on hand? We have a solution for that: secureCodeBox as a Service.

secureCodeBox as a Service initial form

In the last years we gained some attraction with our project, as you can see by the GitHub stars:

secureCodeBox GitHub stars

But one of the major concerns we often heard in the past was:

Nice project, but I don't have a Kubernetes cluster to try it out.

Setting up a Kubernetes cluster is a major concern if you're not used to it. What seems to be a no-brainer for DevOps Engineers may be show-stopper for e.g. security engineers, pentesters, CISOs, Product Owners, etc. who just want to try it out.

That's the reason why we decided last year to start building secureCodeBox as a service, and now it's in a state where we can put it in front of the public. For that, we set up a dedicated Kubernetes cluster and developed a simple Web UI to interface with secureCodeBox. So you don't need to mess around with kubectl on command line ๐Ÿค—

At the moment, we do a very basic cascading scan:

  1. We scan for all subdomains.
  2. We scan for all open ports on each found hostname.

We plan more elaborated scans for the future, e.g.:

  • TLS
  • SSH
  • dangling DNS
  • ...
Is it really that simple?

Of course not! ๐Ÿ˜‚

We need to prevent that arbitrary internet users scan random domains they do not own because this could be interpreted as attack, and the owners may sue us. ๐Ÿ˜ฌ

To mitigate this, we implemented a Domain Validation process. To validate your domain, you need to add a challenge to your DNS zone, so that we are sure that you "own" this particular domain. Sadly, this raises the bar for technical skills required for use. So either you can administer your DNS zone, or you have someone from operations on hand, who can do that for you.

Also, we require you to accept a very lightweight terms of use.

Why Hosted on a Company Domain?โ€‹

Maybe you recognized that secureCodeBox as a service is hosted under a company domain of the iteratec GmbH. iteratec is the main sponsor of secureCodeBox. The reason why we host the service there instead under the open source project's domain is for legal reasons. Since we're located in Germany, and we have something called the "Hackerparagraph" (you can be sued for scanning if not permitted by the owner of the scanned systems). To prevent the individual maintainers or maybe the OWASP getting sued, we needed a legal entity to be in charge and as a legal party for the terms of use. Of course, we asked a lawyer. ๐Ÿ˜‰