secureCodeBox

secureCodeBox (SCB) - continuous secure delivery out of the box

View the Project on GitHub secureCodeBox/secureCodeBox

Using the secureCodeBox

First startup

  1. Access the engine http://your-docker-host:8080/
  2. Choose your admin credentials.

Admin setup

First time login

  1. Access the engine http://your-docker-host:8080/
  2. Access the admin login from the dropdown menu behind the 🏠 in the top right corner

Admin Section

  1. Use the following credentials for your first login:
Username: choosen Username
Password: choosen Password
  1. You are now logged in. Additional users can be created in the user managment section. New users are created without any permissions by default. They are not even permitted to log in. This can be changed by assigning them to the pre-exsisting groups or by granting them the required permission individually.

User management

Starting Scan-Processes using the Camunda UI

  1. After logging in via http://your-docker-host:8080/, the welcome screen will be displayed. From here you can start the different Camunda Web Apps.

Camunda Welcome Screen

  1. Click on Tasklist to see the list of open tasks.

Camunda Tasklist Screen

  1. Next select Start process to open the list of available processes.

List of process definitions

  1. Choose the desired scan process to display the form for configuring the scan. In this example Nmap Port Scan has been used.

Configure a scan

  1. Finally, start the scan process by clicking Start.

Note: A more detailed guide for the Camunda UI can be found here.

Configuring Persistence Providers

The secureCodeBox can save the security tests results into different data stores. A list with all availible stores and how to configure and use them can be found here.

Starting securityTests

Starting securityTests using the UI

When a scan is started via the Camunda UI, the scan is considered to be a manual scans. This means that its results has to be confirmed before they it gets persisted by the configured persistence provider (e.g. elasticsearch). The results will show up in the tasklist and will get persistet once their the task has been marked as completed.

Starting securityTests using the REST-API

When a scan is started via the REST-API, the scan is considered to be automated. This means that the results will get automatically persisted into the configured perssitence provider (e.g. elasticsearch). The results of the securityTest will however not show up in the tasklist. The securityTest will be completed directly and the results are only availible via the persistence provider or by accessing it via the Rest-API.

In order to start a scan via the REST-API, send a PUT-Request to the following URL: <<Engine_Address>>/box/securityTests.

The scanning target is set within the payload. A securityTest running a nmap port scan woud look like this:

[
  {
    "name": "nmap",
    "context": "Feature Team 1",
    "target": {
      "name": "example.com website",
      "location": "example.com",
      "attributes": {
        "NMAP_PARAMETER": "-Pn"
      }
    }
  }
]

You can check out a more detailed API documentation in the Swagger Docs of the secureCodeBox Engine. The Swagger Docs come together with the secureCodeBox Engine. You can access it at <<Engine_Address>>/swagger-ui.html. If you dont have one running yet you can look at the staticly exported version of it here: Static API Docs

Meta Fields and How to use them

MetaFields can be used to tag security tests with custom data relevant for you. We have encountered some data values which we found paticulary usefull and standardized their format to be used in multiple places. The list and formats can be found here.

MetaFields can currently only be set via the rest api. See the swagger docs for how to set them.

In Depth Scan Examples

The following links contain completes examples and explanations how to set up and start scans against demo application.

  1. Scanning modern Single Page Applications like OWASP Juice Shop using Arachni
  2. Scanning Server Rendered Applications like BodgeIt Store using Arachni
  3. Scanning Server Rendered Applications like BodgeIt Store using OWASP ZAP

Starting Scan-Processes using the CLI

We have introduced a simple secureCodeBox CLI which is based on the REST-API. This CLI can be used to configure and start Scan-Process or to integrate with you CI/CD Pipeline (e.g. Jenkins).

Multi Tenancy / Multi Environment Support

When using the secureCodeBox in multiple independent teams all managing their own infrastructure you can run into numerous problems, from isolated services only availible in specific networks to aggresive firewalls blocking any automated scans. The secureCodeBox is designed to handle these situations.

See the Multi Tenancy Docs and Example