Dockerizing BDD-Security

[streichsbaer]

Hello Stephen,

I've done some work around dockerizing BDD-Security. If this is of interest I'm happy to create a pull request for it.

[tek911]

I think this is covered in Issue #33 . You beat me to the punch, i was just about to crank out a dockerfile for that. I for one would be interested in your pull request and docker file (i being no one special!).

[streichsbaer]

@stephendv1 I can't create pull requests for the wiki and would like to add the following text to 4-Running.md.

Docker

Follow the instructions below to create a docker image and run it.

# Build the image
docker build --no-cache -t continuumsecurity/bdd-security .

# run the test suite with the default configuration
docker run -d continuumsecurity/bdd-security

# run the test suite with custom TAGS and custom URLS
docker run -d -e "TAGS=@cwe-319-auth" -e "URL=http:\/\/localhost:8080\/xxx/" continuumsecurity/bdd-security

# alternatively you can run the below command to see the logs in the output
docker run -it continuumsecurity/bdd-security

Note that issue #68 tracks open items for the Dockerization.

[stephendv1]

Many thanks for this @streichsbaer! Have added to wiki and merged the pull request. Will leave this issue open for any further comments/improvements.

[hypery2k]

I think it would be great to enhance the Docker support:

• split up tests and features into a separate source dir
• use that dir as docker volume

This would allow easier upgrade path and may reduce the efforts and it could become possible to distribute a general docker image

[stephendv1]

@hypery2k interesting idea. That would make it easier to edit and modify the tests/features without touching the container.

[streichsbaer]

Fully agree. I've played around with this some more and it's very tedious to get new tests/features ready. Also, the size of the image is enormous ~1gb, which should be optimized. It gets even bigger when integrating sslyze into the container.

[hypery2k]

yeah already so that. I’ll try to start up a new fork and send a PR here

[ratzrattillo]

Is it already possible to use sslyze, when running bdd-security from a docker container?

[stephendv1]

@streichsbaer @hypery2k is this something you can answer?

[streichsbaer]

It is not currently possible @ratzrattillo. And to be frank, I wouldn't recommend it at the moment either. The current Dockerfile is for a Java runtime, and sslyze requires a Python runtime, which would blow the image up substantially,

[ratzrattillo]

Hello @stephendv1 @streichsbaer @hypery2k , Thank you for the fast reply! How about using a tool similar to sslyze, which is not requiring a special runtime environment? Similar and actively maintained tools would be sslscan (https://github.com/rbsec/sslscan) or O-Saft (https://github.com/OWASP/O-Saft) The projects could be compiled from source or get distributed as statically linked binaries, not requiring an additional runtime like python. Thus, bdd-security could be shipped as a docker container without having to give up on SSL-Scanning support. I like the idea of having my security tests running in a stable docker container and testing new tests and features in a DEV container. If the DEV container is stable enough, i could just hit a switch in Jenkins to now fire up the new container to start the new security tests :)

[stephendv1]

I wouldn't want to exclude sslyze just for the sake of avoiding a python runtime. Looking to the future, there are likely to be more tools that require this runtime that we can include in BDD-Security. The challenge is how to package this up so that you only get the runtime you need for your tests? Do we split BDD-Security into different functional areas and create sub-project? e.g. bdd-security.hosts for scanning systems, bdd-security.web for testing browser based web apps, bdd-security.api for testing http apis, etc.
This could make configuration simpler - so that if you just want to test ssl, then you don't have to do any selenium config. (Currently, it works like this, but there is only 1 config file so all the selenium config pieces are in there even if you don't have to use them).

[ratzrattillo]

@stephendv1 Splitting the project into different sub-projects for the different areas of security testing might surely help to also make it easier to use bdd-security in the first place. the size of single docker containers could also be reduced of course. However, the documentation must be adjusted to make it easier for beginners to use the framework ;)