Pentesting within an instance deployed in a Testbed project

[90n20]

As a SCS security auditor, I want to perform a pentest from an instance deployed on a testbed project, so that I could identify and report possible security flaws from the point of view of a "cloud user".

Related to #410

Definition of Ready:

• [ ] User Story is small enough to be finished within one sprint
• [ ] User Story is clear and understood by the whole team
• [ ] Acceptance criteria are defined
• [ ] Acceptance criteria are clear and understood by the whole team

Definition of Done:

• [ ] All acceptance criteria are met
• [ ] Changes have been reviewed
• [ ] CI tests have run successfully
• [ ] Documentation has been updated
• [ ] Release Notes have been updated

[90n20]

We have created an Ubuntu instance in default Testbed "test" project and installed needed tooling (the same as defined in the proposed pentesting methodology, this is, Naabu + Httpx + Nuclei + ZAP + Greenbone CE ).

The goal of the tests being performed (either with the above tools and by hand) is to determine if there are components that could be reached from the network and/or if infrastructure services are accesible.

[90n20]

Work has been finished performing the tests over two different instances, one running the included CirrOS and another running Ubuntu 22.04.

No significant issues have been identified, as machines only have visibility to Horizon and Homer web interfaces.

Results have been uploaded to nextcloud at CirrOS+Ubuntu instances internal assessment report

[90n20]

Summarized pdf report uploaded to nextcloud at Instances internal assessment report