Open garethbowen opened 1 year ago
ralfudx
commented
7 months ago Hey @garethbowen just bouncing back on this as I now have a dedicated public instance to use for testing I just wanted to get some more clarity + context on the initial task at hand - i know we discussed about the scans and how to make them automatic with a good reporting structure - I'd be glad to get more direction on the expectations
garethbowen
commented
7 months ago The first step is to run the Rapid7 scan manually so we can verify it still works, and get a report with todo items. This may need some updating with the new instance and credentials. Once you've done that and it runs successfully let me know and I'll grab the report and go through it and raise any required fixes.
After that it's a matter of creating a new build that triggers the test.
ralfudx
commented
7 months ago Hi @garethbowen I completed the manual scan and the results show about 98 vulnerabilities with zero High ones... https://us.appsec.insight.rapid7.com/op/7FE0B36A2FF64240EF0C/#/apps/b6882119-9b8a-4e4c-b89b-4e78dfb4c3ef/configuration/cab05d71-7320-4ab1-83b9-1927c0feb214/scan/75338cc8-75da-400a-8578-92395bb7b88e Compared to the first scan (CHT instance with no data) which took approximately 45mins, this new scan took about 6hrs 31mins to complete (i'm not sure why??). Kindly have a look and advise on next steps
garethbowen
commented
7 months ago @ralfudx Nice!
Firstly, I've exported that report and uploaded to https://drive.google.com/drive/u/0/folders/1J5HBx6lN-pp2J4AEtv-mH61PPErWwq4k so we have a history even if we lose access to Rapid7.
Secondly, can you please share login credentials to the CHT server on 1password so others can review the setup.
I had a quick look and the most serious ones will take a little effort to reproduce so we'll need some time to dig through.
The next step would be to figure out how to trigger a run from GitHub Actions. This will probably include...
Ask around in the product-infrastructure channel on Slack for help with these.
ralfudx
commented
5 months ago So far, in the early stages of this project we've managed to create a sample repository https://github.com/medic/security-rapid7 and also created:
security-rapid7Next steps will be to:
deploy script and verify that the instance is successfully created
Describe the issue Currently we aren't made aware of any regressions in our security.
Describe the improvement you'd like Have an automated script to run a penetration test suite. This could be with the Rapid7 account that's already set up (credentials in 1pass), or some other test suite, or multiple solutions. Depending on the suite this may be run every commit as part of CI, or more likely periodically (monthly, or on beta) because it may be a long running task and potentially expensive. Make sure the results are recorded somewhere.
Describe alternatives you've considered Manual security testing, but much of the work is repetitive.