DevSecOps Tutorial: How to implement DAST in CI/CD Pipeline

DevSecOps Tutorial: How to implement DAST in CI/CD Pipeline

Introduction

I will brief the step by step how we can implement Dynamic Analysis Security Test (DAST) in your CI/CD pipeline. Before we can proceed with the nitty-gritty of of the CI/CD pipeline steps, below are DAST tools we will use in this tutorial:

Nikto

nikto

Nikto is a web server scanner which performs comprehensive tests against web server for multiple items, including over 6700 potentially dangerous files/programs, checks for outdated version of over 1250 servers, and version specific problems on over 270 servers.

Nikto-Features

  • Official Website

The official website for Nikto is ->https://cirt.net/nikto2-docs/ to see the full documentation about Nikto.

  • How to use/download

You can to to Nikto's Github page to read it's documentation on how you can install and use in your CI/CD pipeline.

  1. CLI Usage

Install

apt-get update && apt-get install nikto -y

Command

nikto -output [filename].xml -h [http or https website URL/IP]

Scan

nikto -output nikto_output.xml -h https://demo.testfire.net
  1. Docker

Get Docker Image

docker pull secfigo/nikto:latest

Scan

docker run --user $(id -u):$(id -g) --rm -v $(pwd):/report -i secfigo/nikto:latest -h https://demo.testfire.net -output /report/nikto-output.xml

SSLyze

SSLyze

SSLyze is a library of Python and a CLI tool that can be used to examine server SSL settings by connection. It scanning for Pyton 2.7 and 3.4 + with power and speed SSL / TLS servers. This will search the vulnerable cipher suites, insecure renegotiation, CRIME, Heartbleed, etc.

SSLyze-Features

  • Official Website

The official website for SSLyze is ->URL; to see the full documentation about SSLyze.

  • How to use/download

You can to to SSLyze's Github page to read it's documentation on how you can install and use in your CI/CD pipeline.

  1. CLI Usage

Install

pip install --upgrade sslyze or pip3 install sslyze

Command

sslyze --regular [website:port] --json_out [filename].json

Scan

sslyze --regular demo.testfire.net:443 --json_out dast-sslyze-report.json

Nmap

Nmap

Nmap ("Network Mapper") is a network discovery and security auditing, free and open source (licensed) utilities. Nmap has CLI and great plugin ecosystem to help DevOps team in security scanning and has the following features;

Nmap-Features

  • Official Website

The official website for Nmap is ->URL; to see the full documentation about Nmap.

  • How to use/download

You can to to Nmap's Github page to read it's documentation on how you can install and use in your CI/CD pipeline.

  1. CLI Usage

Install

apt-get update && apt-get install nmap -y

Command

nmap [website/ip] -oX [filename].xml

Scan

nmap demo.testfire.net -oX dast-nmap-report.xml

Therefore, with all 3 tools above, we will implement all 3 in our CI/CD pipeline, please follow steps below;

Step 0 : Setup a GitLab Account and GitLab Runner

If you don't have GitLab account yet, please refer this URL to setup it 1st, because below steps actually after you go setup your GitLab.

We will be use http://demo.testfire.net/ website as our destination which website is published by IBM Corporation for the sole purpose of demonstrating the effectiveness of IBM products in detecting web application vulnerabilities and website defects.

Step 1: GitLab Repo setup & Clone django-nv source code

Once we clone the repo(as shared above and create new project in our GitLab), we need to update yml file below;

gitlab

Step 2: Update your .gitlab-ci.yml file

stages:
 - build
 - test
 - integration
 - prod

build:
  stage: build
  script:
    - echo "This is a build step"
    - echo "some tool output" > output.txt
  artifacts:
    paths: [output.txt]

dast-nikto:
  stage: integration
  script:
    - apt-get update && apt-get install nikto -y
    - nikto -output dast-nikto-report.xml -h https://demo.testfire.net
  artifacts:
    paths: [dast-nikto-report.xml]
    when: always
  allow_failure: true

dast-sslscan:
 stage: integration
 script:
  - pip3 install sslyze
  - sslyze --regular demo.testfire.net:443 --json_out dast-sslyze-report.json
 artifacts:
    paths: [dast-sslyze-report.json]
    when: always
 allow_failure: true

dast-nmap:
 stage: integration
 script:
   - apt-get update && apt-get install nmap -y
   - nmap demo.testfire.net -oX dast-nmap-report.xml
 artifacts:
    paths: [dast-nmap-report.xml]
    when: always
 allow_failure: true
 
prod:
  stage: prod
  script:
    - echo "This is a deploy step"
  when: manual # Continuous Delivery

Step 3: Commit YML file and Run the CI/CD Pipeline

Once, we done editing our .gitlab-ci.yml file, we need to click "commit" button below to auto-deploy or run our SAST test in CI/CD pipeline

commit-button

Step 4: Run CI/CD Pipeline and See DAST tools result JSON/XML file. We can see our CI/CD pipeline running in pipeline page;

Dast-CICD-Pipeline

Once, done we will get overall stages status; as we can see below or DAST jobs is failed, since we "allow failure" in our YML file, it proceed to next stages;

Step 5: See All DAST Tools Result Reports

To see our DAST test result, we can click on each jobs we set in our  and see our Result JSON file and see all .gitlab-ci.yml file;

  • Nikto

Nikto-Scanner-Report-1

<?xml version="1.0" ?>
<!DOCTYPE niktoscan SYSTEM "/etc/nikto/docs/nikto.dtd">
<niktoscan hoststest="0" options="-h demo.testfire.net -output /report/dast-nikto-report.xml" version="2.1.5" scanstart="Mon Aug  3 05:26:55 2020" scanend="Thu Jan  1 00:00:00 1970" scanelapsed=" seconds" nxmlversion="1.2">

<scandetails targetip="65.61.137.117" targethostname="demo.testfire.net" targetport="80" targetbanner="Apache-Coyote/1.1" starttime="2020-08-03 05:26:55" sitename="http://demo.testfire.net:80" siteip="http://65.61.137.117:80" hostheader="demo.testfire.net" errors="0" checks="6544">


<item id="999960" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
<description><![CDATA[Cookie JSESSIONID created without the httponly flag]]></description>
<uri><![CDATA[/]]></uri>
<namelink><![CDATA[http://demo.testfire.net:80/]]></namelink>
<iplink><![CDATA[http://65.61.137.117:80/]]></iplink>
</item>

<item id="999976" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
<description><![CDATA[The anti-clickjacking X-Frame-Options header is not present.]]></description>
<uri><![CDATA[/]]></uri>
<namelink><![CDATA[http://demo.testfire.net:80/]]></namelink>
<iplink><![CDATA[http://65.61.137.117:80/]]></iplink>
</item>

<item id="999990" osvdbid="0" osvdblink="http://osvdb.org/0" method="OPTIONS">
<description><![CDATA[Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS ]]></description>
<uri><![CDATA[/]]></uri>
<namelink><![CDATA[http://demo.testfire.net:80/]]></namelink>
<iplink><![CDATA[http://65.61.137.117:80/]]></iplink>
</item>

<item id="999978" osvdbid="397" osvdblink="http://osvdb.org/397" method="GET">
<description><![CDATA[HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.]]></description>
<uri><![CDATA[/]]></uri>
<namelink><![CDATA[http://demo.testfire.net:80/]]></namelink>
<iplink><![CDATA[http://65.61.137.117:80/]]></iplink>
</item>

<item id="999976" osvdbid="5646" osvdblink="http://osvdb.org/5646" method="GET">
<description><![CDATA[HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.]]></description>
<uri><![CDATA[/]]></uri>
<namelink><![CDATA[http://demo.testfire.net:80/]]></namelink>
<iplink><![CDATA[http://65.61.137.117:80/]]></iplink>
</item>

<item id="999972" osvdbid="0" osvdblink="http://osvdb.org/0" method="DEBUG">
<description><![CDATA[DEBUG HTTP verb may show server debugging information. See http://msdn.microsoft.com/en-us/library/e8z01xdh%28VS.80%29.aspx for details.]]></description>
<uri><![CDATA[HASH(0x5627edc78f20)]]></uri>
<namelink><![CDATA[http://demo.testfire.net:80HASH(0x5627edc78f20)]]></namelink>
<iplink><![CDATA[http://65.61.137.117:80HASH(0x5627edc78f20)]]></iplink>
</item>

<item id="999984" osvdbid="0" osvdblink="http://osvdb.org/0" method="GET">
<description><![CDATA[Server leaks inodes via ETags, header found with file /lpt9, fields: 0xW/0 0x0 ]]></description>
<uri><![CDATA[/lpt9]]></uri>
<namelink><![CDATA[http://demo.testfire.net:80/lpt9]]></namelink>
<iplink><![CDATA[http://65.61.137.117:80/lpt9]]></iplink>
</item>

<statistics elapsed="1520" itemsfound="7" itemstested="6544" endtime="2020-08-03 05:52:15" />
</scandetails>


</niktoscan>
  • SSLyze
  • Nmap

Recap

Next you should read


Share Tweet Send
0 Comments
Loading...