Use this terraform code to setup an EC2 instance in your AWS account. Setup an AWS account profile in your local environment called "securitytest". Caution: This is for educational purposes, you are setting here up a vulnerable test environment with a public reachable IP address. Steps:
- terraform init
- terraform apply
Use the generated key from terraform (ec2-ssh-key-pem.pem) to execute the Ansible. Prerequisites:
- You need to adapt the second line in the file /terraform/ansible/hosts. This line needs to be the output IP address of the applied Terraform EC2. Execute the following to setup Docker and Docker-compose in the ec2:
- ansible-playbook --private-key=../ec2-ssh-key-pem.pem -i hosts playbook.yml
- ssh into the ec2 instance using the generated key (ssh -i ec2-ssh-key-pem.pem ubuntu@<ip_address_of_ec2>)
- clone this repo https://github.com/manuel-sommer/security-introday-challenge.git
- go into the folder and run: docker-compose up --build -d
- visit the following url in the browser: "http://ip_address_of_ec2:8000"
- Clone this repo in your respective gitlab project and push a commit. You will see the results of the scanners "safety" and "bandit" which are failing in this repo.
====================================================================================================================================================
Here is a badly written application with many flaws.
Your task is to:
- Study the application as a whole and identify the flaws. Try to fix as many of them as possible*.
- Containerize the application.
- Present the improved application and show us the changes you made.
Notes: *Some flaws cannot be fixed immediately. Document them and explain why they are bad and what will you change.
- GNU/Linux
python
>= 3.7pip
>= 9.0
>=
means any version of the package, above or equal to the specified version.
This application requires tornado
python package.
You can install them by using:
pip install tornado
Although things do not have to be this way 😉
Application can be found in main.py
file. You can start the application by using:
python main.py
Visit http://localhost:8000. Login with admin:letmein.
The application comes with a simple predefined sqlite3 database file db
. There are two tables:
users table
Column | Type | Null | Note |
---|---|---|---|
id | INTEGER | No | Primary key |
username | VARCHAR(255) | No | |
password | VARCHAR(255) | No |
fruits table
Column | Type | Null | Note |
---|---|---|---|
id | INTEGER | No | Primary key |
name | VARCHAR(255) | No | |
quantity | INTEGER | No |