Automated Security Checks

pbinkley commented 9 years ago

As Security Officer, I want HydraNorth to be tested for security vulnerabilities regularly, so that we can have confidence in its security as soon as possible. We're aiming for coverage of OWASP ASVS Gold before the production launch. We expect that automated tools will take us part way there, and we need to understand the gap between what the tools can do and what we must do ourselves.

Done:

[x] Brakeman running on Jenkins CI server
[x] ZAP running on Jenkins CI server
[ ] OWTF deployed on Kali Linux workstation
[ ] Reports going to Ray in a way he can use

raywchan commented 9 years ago

(1) Dawn and (2) Brakeman were suggested during our web application security discussion on Mar 2. There are multiple OWASP tools ( https://www.owasp.org/index.php/OWASP_Project_Inventory#tab=Flagship_Projects ) that can also be used to improve websec. Specifically, we should make use of (3) OWASP Zed Attack Proxy and (4) OWASP OWTF for finding vulnerabilities. Can we include (1) - (4) into jenkins and/or travis?

pbinkley commented 9 years ago

OWASP Zed Attack Proxy moved to #361.

pgwillia commented 9 years ago

https://github.com/owtf/bootstrap-script for OWTF installation

yum install postgresql-devel libcurl-devel python-devel libxml2-devel libxslt-devel
wget -N https://raw.githubusercontent.com/owtf/bootstrap-script/master/bootstrap.sh; chmod +x bootstrap.sh; ./bootstrap.sh

Results in error

building 'pycurl' extension
    creating build/temp.linux-x86_64-2.6
    creating build/temp.linux-x86_64-2.6/src
    gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DPYCURL_VERSION="7.19.5" -DHAVE_CURL_SSL=1 -I/usr/include/python2.6 -c src/docstrings.c -o build/temp.linux-x86_64-2.6/src/docstrings.o
    In file included from src/docstrings.c:4:
    src/pycurl.h:152:5: warning: #warning "libcurl was compiled with SSL support, but configure could not determine which " "library was used; thus no SSL crypto locking callbacks will be set, which may " "cause random crashes on SSL requests"
    gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DPYCURL_VERSION="7.19.5" -DHAVE_CURL_SSL=1 -I/usr/include/python2.6 -c src/easy.c -o build/temp.linux-x86_64-2.6/src/easy.o
    In file included from src/easy.c:1:
    src/pycurl.h:152:5: warning: #warning "libcurl was compiled with SSL support, but configure could not determine which " "library was used; thus no SSL crypto locking callbacks will be set, which may " "cause random crashes on SSL requests"
    src/easy.c: In function ‘do_curl_getinfo’:
    src/easy.c:1985: warning: call to ‘_curl_easy_getinfo_err_curl_slist’ declared with attribute warning: curl_easy_getinfo expects a pointer to struct curl_slist * for this info
    gcc -pthread -fno-strict-aliasing -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -DNDEBUG -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -D_GNU_SOURCE -fPIC -fwrapv -fPIC -DPYCURL_VERSION="7.19.5" -DHAVE_CURL_SSL=1 -I/usr/include/python2.6 -c src/module.c -o build/temp.linux-x86_64-2.6/src/module.o
    In file included from src/module.c:1:
    src/pycurl.h:152:5: warning: #warning "libcurl was compiled with SSL support, but configure could not determine which " "library was used; thus no SSL crypto locking callbacks will be set, which may " "cause random crashes on SSL requests"
    src/module.c: In function ‘initpycurl’:
    src/module.c:723: error: ‘CURLPROTO_IMAP’ undeclared (first use in this function)
    src/module.c:723: error: (Each undeclared identifier is reported only once
    src/module.c:723: error: for each function it appears in.)
    src/module.c:724: error: ‘CURLPROTO_IMAPS’ undeclared (first use in this function)
    src/module.c:725: error: ‘CURLPROTO_POP3’ undeclared (first use in this function)
    src/module.c:726: error: ‘CURLPROTO_POP3S’ undeclared (first use in this function)
    src/module.c:727: error: ‘CURLPROTO_SMTP’ undeclared (first use in this function)
    src/module.c:728: error: ‘CURLPROTO_SMTPS’ undeclared (first use in this function)
    src/module.c:729: error: ‘CURLPROTO_RTSP’ undeclared (first use in this function)
    src/module.c:730: error: ‘CURLPROTO_RTMP’ undeclared (first use in this function)
    src/module.c:731: error: ‘CURLPROTO_RTMPT’ undeclared (first use in this function)
    src/module.c:732: error: ‘CURLPROTO_RTMPE’ undeclared (first use in this function)
    src/module.c:733: error: ‘CURLPROTO_RTMPTE’ undeclared (first use in this function)
    src/module.c:734: error: ‘CURLPROTO_RTMPS’ undeclared (first use in this function)
    src/module.c:735: error: ‘CURLPROTO_RTMPTS’ undeclared (first use in this function)
    src/module.c:736: error: ‘CURLPROTO_GOPHER’ undeclared (first use in this function)
    error: command 'gcc' failed with exit status 1

    ----------------------------------------
  Rolling back uninstall of pycurl
Command "/usr/bin/python -c "import setuptools, tokenize;__file__='/tmp/pip-build-J4MHk1/pycurl/setup.py';exec(compile(getattr(tokenize, 'open', open)(__file__).read().replace('\r\n', '\n'), __file__, 'exec'))" install --record /tmp/pip-I3skd0-record/install-record.txt --single-version-externally-managed --compile" failed with error code 1 in /tmp/pip-build-J4MHk1/pycurl

pgwillia commented 9 years ago

Download 32 bit image from https://www.offensive-security.com/kali-linux-vmware-arm-image-download/

apt-get update
wget -N https://raw.githubusercontent.com/owtf/bootstrap-script/master/bootstrap.sh
chmod +x bootstrap.sh
./bootstrap.sh

service postgresql start
./owtf/owtf.py

Visit OWTF in browser

pgwillia commented 9 years ago

Installed ZAProxy Plugin in Jenkins following the documentation.
Created a new job HydraNorth Security to run ZAP
Reports published on every build

pbinkley commented 9 years ago

Remaining problem: timing out on Tricia's workstation. Needs Kali Linux. We will dual-boot one of the new workstations.

pbinkley commented 9 years ago

On hold until we get a workstation on which to deploy Kali Linux.

sfbetz commented 7 years ago

Requires prioritization from security perspective. How important is this for current scope of work? Must it happen in the next 6 months? If not, can we push to future? @pbinkley @raywchan

ualbertalib / HydraNorth

Automated Security Checks #222