Main objective of this project is to provide a cloud based service for developers to perform security scans for their web applications without having a prior knowledge or prior experience in using and configuring the security testing tools.As mentioned in the WSO2 GSoC Project Proposals there will be mainly 2 steps in this project.
In the first step I am going to create per configured docker images for web vulnerability scanners (OWASP Dependency Check, OWASP ZAP, FindSecBugs).So anyone can pull the preconfigured docker images, run containers from them and simply perform the security testing minimizing the hard work. Once its done as the second step these docker images will be used to create a cloud computing solution where developers/testers can provide their source code and get the security testing done for them.
In order to provide the cloud computing solution i am going to create a web application for end users where they can provide their source code or URL of their web application (If they provide the URL of the application they will be able to do dynamic security testing only.).End user will be able to provide their source code as a ZIP file,WAR file or provide GitHub, Google drive or Dropbox links.Whatever the way they provide the source code , system will download/pull or extract the application code in the most suitable server (Since this is a cloud computing system we could use a distributed computing solution to get high performance and efficiency) or we can run these security scans parallely in the same server as well.
It is good if end users can provide the url to the application if they want to do a dynamic scan with ZAP tool but in case they have not hosted their application, the system will deploy the application in the server(This deployment will happen in the server which is going to perform FindSecBugs and OWASP Dependency Check security scan since ZAP only needs the URL of the application.So we can start ZAP tool in another server parallely with the OWASP Dependency Check and FindSecBugs ).When we use ZAP tool to perform dynamic testing we need to manage sessions.To do that in the front end application we can ask for the url of login page and names of username field and the password field and the credentials for test users.the system will use these data to login to the application when prefoming zap tool
http://zap/JSON/authentication/action/setAuthenticationMethod/?zapapiformat=JSON&contextId=1&authMethodName=formBasedAuthentication&authMethodConfigParams=loginUrl%3Dhttp%253A%252F%252Fexample.com%252Flogin%252F%26loginRequestData%3Dusername%253D%257B%2525username%2525%257D%2526password%253D%257B%2525password%2525%257D
Once every thing is done the system will start the security scan and will generate reports. Since the web vulnerability scanning is a very time consuming process (especially ZAP tool) once the scans are done the system will email the reports to the end user, also since all the tools generate XML reports we can let end users to log into our front end application and show the results there also. If we do that (not related to GSOC project) by getting their feed backs on the results and by identifying the patterns and situations of false positives may be we will be able to create a way to remove most of the false positives from the reports by using machine learning mechanisms.
No comments:
Post a Comment