bitkeks
commented
7 months ago @90n20 and @Seykotron created a proposal for the pipeline consisting of six tools:
- Naabu: port scanning tool used for identifying open ports
- HTTPx: HTTP toolkit for web server fingerprinting
- Nuclei: template-based vulnerability scanner
- Greenbone Community Edition (OpenVAS): vulnerability scanner for comprehensive assessments of networks, hosts, and applications
- ZAP Proxy: intercepting HTTP proxy for DAST
- Defect Dojo: security program and vulnerability management tool (needs to have a dedicated instance).
This proposal was discussed and approved.
The current work consists of containerizing the applications. Further work will deploy the pipeline in Zuul.
As a CSP, I want to continuously scan my running infrastructure so that I discover security issues in a timely manner.
The implementation is based on a pipeline of security tools that are executed periodically. These tools scan the running infrastructure, similar to a DAST (dynamic app sec testing). The pipeline can be triggered when a new deployment is rolled out or via defined points in time.