fr
Français

Flight Plan: Automated Static and Dynamic Application Security Testing

This BoosterPack was created and authored by: Parabellyx

DAIR BoosterPacks are free, curated packages of cloud-based tools and resources about a specific emerging technology, built by experienced Canadian businesses who have built products or services using that technology and are willing to share their expertise.

Ready for takeoff?

Here’s what you’ll find in this Flight Plan

Overview

What is Argus?

Argus is an application security testing (AST) framework that allows you to deploy a running security test environment that can easily be incorporated into software development workflows. Argus is developed on Kubernetes infrastructure (K3s), which lets companies quickly deploy in the DAIR cloud, and start static application security testing (SAST) and the more advanced dynamic application security testing (DAST). Bundling the necessary tools for this test framework makes deployment fast and easy, however this topic is still complex and requires technical skills to fully understand the solution. The project is divided into two parts; first, the more straightforward SAST setup, then part two, the DAST setup, for those wishing to automate testing of their deployed web application.

What value has it added to my business?

Adding a structured application security testing to the software development workflow helps to ensure that your software base has been checked for vulnerabilities and ensures a consistent coding practice. Vulnerability scanning and consistent coding practices help increase the software quality produced and instill confidence for end-users that the application has undergone security quality assurance and quality control measures.

SAST Component

Argus uses a free and open-source offering to help developers become familiar with the SAST workflows and understand highlighted security issues. This solution can be installed in the DAIR Cloud (or on-prem, or at home) for learning and experimenting. The only requirements are a virtual machine and access to the application source code.

While there are commercial SAST solutions, those solutions come with specific caveats. Some SAST solutions provide free or low-cost tiers but require that the code base be placed on a publicly accessible source code repository. Other SAST offerings are targeted towards developers interested in trialing the product and may not provide access to features that help address security issues with the code. Another concern is that some SAST products don’t provide upfront pricing forcing you to consult with sales staff to get pricing information.

DAST Component

The DAST application space is limited in terms of free production-grade offerings. Argus aims to address this issue by leveraging a popular open-source tool called Zaproxy. Combining Zaproxy with industry best practices help you learn how to integrate a DAST solution into your continuous integration and continuous delivery (CI/CD) pipeline.

Best Practices

HTTPS Encryption

It is strongly recommended you use a valid HTTPS certificate to ensure communications between client and server are encrypted. Refer to the Security section in the Sample Solution on the use of TLS certificates. Let’s Encrypt can be used if the organization does not have an existing SSL/TLS certificate and/or domain registered in DNS, but this is not the preferred production solution.

Backup Strategy

Argus was designed for deployment on K3s, a lightweight Kubernetes implementation installed on a single VM. K3s simplify the process so that you don’t need to thoroughly understand and implement underlying components required to operate Kubernetes. This allows the solution to be easily backed up by using snapshots of the VM and recovery through VM restores. Not everyone will adopt this backup strategy, but it does allow teams to quickly test out Argus and recover to a known copy quickly without resorting to expensive backup solutions. Organizations who want to use Argus in a full Kubernetes environment can access the YAML files from the source code repository and customize the source to meet their needs (for example, if they wish to use Kubernetes packages like FluxCD for more DevOps oriented workflows).

Admin Passwords

Strong default admin passwords have been supplied by default for this Sample Solution. Do not keep passwords in the source code repository; instead, use the ‘secrets’ capability supplied by the CI/CD pipeline tools or cloud providers to securely hide them.

Tips

HTTPS Issue with SonarScanner

If you have installed a valid HTTPS certificate from Let’s Encrypt and have issues with the SonarScanner connecting to the SonarQube scanner, you may see in the error logs reference to an invalid certificate. To verify the HTTPS certificate is valid, use the following command from a Linux system (where [server] is the FQDN or public IP address): openssl s_client -connect [server]:443

Inspect the output to see if there are any communication errors. In some situations, the certificate may be missing the issuer in the certificate. For organizations using Terraform, refer to the ACME provider instructions on creating HTTPS certs using Let’s Encrypt.

Forgot Default Password

Log onto the Argus server and proceed to /opt/argus/argus-infra-dair/secrets

Look at the files with the postfix .secret to uncover your password.

Totally Broke Project Iris

If you need to reset Project Iris to the default factory state, log on the Iris server through SSH. Proceed to the following directory /opt/argus/argus-infra-dair .

Run the following commands:

kubectl kustomization | kubectl delete -f -
kubectl kustomization | kubectl apply -f -

Wait for 10 minutes for the containers to come online and proceed with configuring the applications. Alternatively, you can delete the DAIR instance created and deploy the Parabellyx BoosterPack again.

Traps

In some rare instances, DAST scanning can leave a web application in a broken state. It is best to have the web application built on technologies using proper CI/CD practices. If the application is rendered broken after a DAST scan, simply redeploy the web application (using CI/CD pipeline automation can greatly reduce downtime).

Resources

Consult the tutorials and documentation below for more detail on the technology and how to use it.

Tutorials

The table below provides a non-comprehensive list of links to tutorials that we’ve found to be most useful.

Tutorial ContentSummary
10 Great Tutorial Videos on ZapSimon Bennetts has done a fantastic job addressing the void of an easily accessible tool for the open-source community. The link contains 10 videos that will help you understand how to use Zaproxy.
The Official Kubernetes SiteThe official SonarQube website provides extensive detail on using and extending SonarQube for your use-case. If you have your own Continuous Integration (CI) pipelines, SonarQube’s website will go through detailed instructions on how to integrate the CI pipeline to the SonarQube installation.
SonarQube DocumentsThe official SonarQube website provides extensive detail on using and extending SonarQube for your use-case. If you have your own Continuous Integration (CI) pipelines, SonarQube’s website will go through detailed instructions on how to integrate the CI pipeline to the SonarQube installation.

Documentation

Please see the table below for a set of documentation resources for Argus.

DocumentSummary
GitHub Repository and Documentation
Find it here.

 

Support

As a DAIR participant, you have access to support related this BoosterPack. If you have questions, you can either post them in DAIR Slack #help channel (this will provide the fastest response to your questions) or send an email to [email protected]

Got it? Now let us show you how we deployed it on the DAIR Cloud…

Argus Sample Solution

For small development teams who need their software product security tested, the Sample Solution demonstrates how to perform security scans on the source code and detect possible vulnerabilities on the deployed web applications. Unlike commercial solutions, this Sample Solution allows you to realize a fully operational SAST/DAST solution quickly, so you can modify it and start finding vulnerabilities in your application code or deployed web application.

Please see the Sample Solution: Rapid Static Application Security Testing (SAST) Deployment page for more information on how the Sample Solution works.

The Sample Solution showcases the following technologies: Jenkins, SonarQube, Zaproxy on K3s described in subsequent sections.