A Jenkins end-to-end DevSecOps pipeline for Python web application, hosted on AWS Ubuntu 18.04
Disclaimer: This project is for demonstration purpose with surface level checks only, do not use it as-is for production
Checkout project - check out python application project repository with XSS vulnerability
git secret check - check there is no password/token/keys/secrets accidently commited to project github
SCA - check external dependencies/libraries used by the project have no known vulnerabilities
SAST - static analysis of the application source code for exploits, bugs, vulnerabilites
Container audit - audit the container that is used to deploy the python application
DAST - deploy the application, register, login, attack & analyse it from the frontend as authenticated user
System security audit - analyse at the security posture of the system hosting the application
WAF - deploy application with WAF which will filter malicious requests according to OWASP core ruleset
- Clone this repository to your Ubuntu Server (t2-medium recommended)
git clone https://github.com/pawnu/PythonSecurityPipeline.git
-
Edit the code to make it work on your AWS
- Change to your AWS subnet vpc_subnet_id
- Change to your AWS security_group (allow inbound ssh(22), WAF(80), Optional web-app(10007) from your IP ONLY)
- Create an IAM role which gives full-ec2-access and assign it to your ubuntu server
-
Run the setup script to create CICD server with Jenkins+pipeline ready to go
cd PythonSecurityPipeline
sudo sh setup-ubuntu.sh
- Make sure your firewall allows incoming traffic to port 8080. Then, go to your jenkins server URL
http://your-jenkins-server:8080/
- Use the temporary credentials provided on the logs to login. Change your password!
- Go to the python pipeline project dashboard, click on "Build Now" button to start it off.
A sample pipeline is already provided through automation
- Click on New Item, input name for your project and select Pipeline as the option and click OK.
- Scroll down to Pipeline section - Definition, select "Pipeline script from SCM" from drop down menu.
- Select Git under SCM, and input Repository URL.
- (Optional) Create and Add your credentials for the Git repo if your repo is private, and click Save.
- You will be brought to the Dashboard of your Pipeline project, click on "Build Now" button to start off the pipeline.
To do list:
- Select appropriate security tools and sample python project
- Set up Jenkins server using docker (Dockerfile) and pipeline as code (Jenkinsfile) to run the checks
- Use ansible to create AWS ec2 test instance, configure the environment, and interact with it
- Hook up the web-app with
nginx+modsecurity providing WAF,DDoS protection, reverse proxy capabilities - Bootstrap with Jenkins API/configfile to setup and automatically create the pipeline job
- Carry out authenticated DAST scan on the python web app
- Pawan Uppadey - pawnu
A laboratory for learning secure web development in a practical manner.
By provisioning local environments via docker-compose, you will learn how the most critical web application security risks are exploited and how these vulnerable codes can be fixed to mitigate them. 👩💻
After forking this repository, you will find multiple intended vulnerable apps based on real-life scenarios in various languages such as Golang, Python and PHP. A good start would be installing the ones you are most familiar with. You can find instructions to do this on each of the apps. 💡
Each of them has an Attack Narrative section that describes how an attacker would exploit the corresponding vulnerability. Before reading any code, it may be a good idea following these steps so you can better understand the attack itself. 💉
Now it's time to shield the application up! Imagine that this is your application and you need to fix these flaws! Your mission is writing new codes that mitigate them and sending a new Pull Request to deploy a secure app! 🔐
After mitigating a vulnerability, you can send a Pull Request to gently ask the secDevLabs community to review your new secure codes. If you're feeling a bit lost, try having a look at this mitigation solution, it might help! 🚀
Disclaimer: You are about to install vulnerable apps in your machine! 🔥
| Vulnerability | Language | Application |
|---|---|---|
| A1 - Injection | Golang | CopyNPaste API |
| A1 - Injection | NodeJS | Mongection |
| A1 - Injection | Python | SSType |
| A2 - Broken Authentication | Python | Saidajaula Monster Fit |
| A2 - Broken Authentication | Golang | Insecure go project |
| A3 - Sensitive Data Exposure | Golang | SnakePro |
| A4 - XML External Entities (XXE) | PHP | ViniJr Blog |
| A5 - Broken Access Control | Golang | Vulnerable Ecommerce API |
| A5 - Broken Access Control | NodeJS | Tic-Tac-Toe |
| A6 - Security Misconfiguration | PHP | Vulnerable Wordpress Misconfig |
| A6 - Security Misconfiguration | NodeJS | Stegonography |
| A7 - Cross-Site Scripting (XSS) | Python | Gossip World |
| A8 - Insecure Deserialization | Python | Amarelo Designs |
| A9 - Using Components With Known Vulnerabilities | PHP | Cimentech |
| A10 - Insufficient Logging & Monitoring | Python | GamesIrados.com |
We encourage you to contribute to SecDevLabs! Please check out the Contributing to SecDevLabs section for guidelines on how to proceed! 🎉
This project is licensed under the BSD 3-Clause "New" or "Revised" License - read LICENSE.md file for details. 📖