Giter Site home page Giter Site logo

dast-operator's Introduction

DAST operator

Dynamic application security testing (DAST) is a process of testing an application or software in an operating state.

This operator leverages OWASP ZAP to make automated security testing for web applications and APIs based on OpenAPI definitions.

The operator current features:

  • Deploy OWASP ZAP proxy defined in custom resource
  • Scan external URL defined in custom resource
  • Scan internal services based on its annotations
  • API Security testing based on OpenAPI definition
  • Before deploying ingress, check backend services whether scanned and scan results are below defined thresholds

On the DAST operator roadmap:

  • In webhook, check the scanner job is running, completed or not exist
  • Improve service status check
  • Handle multiple service ports
  • Handle different service protocols
  • Use HTTPS instead of HTTP connecting to ZAP
  • Generate randomly ZAP API key if not defined
  • API testing with JMeter and ZAP
  • Parameterized security payload with fuzz
  • Automated SQLi testing using SQLmap

Structure of the DAST operator:

DAST operator running two reconcilers and one validating admission webhook

DAST OPERATOR

Reconcilers

  • DAST reconciler
  • Service reconciler

Webhook

  • Validating webhook for ingress

Current limitations:

Using the webhook feature, deploying an ingress is only successful when the backend service has been already scanned. If we deploy something with Helm that contains a service and an ingress definition as well, the ingress deployment will fail as to the scan progress of the backend service is not finished yet.

Deploy the cert-manager

First of all we need to deploy cert-manager

kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.4/cert-manager.crds.yaml
helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.0.4

You can read more about the installation of the cert-manager in the official documentation

Deploy the dast-operator via helm

Or you can install via helm:

helm repo add banzaicloud https://kubernetes-charts.banzaicloud.com/
helm install dast-operator banzaicloud/dast-operator

Build images and deploy the operator manually

git clone https://github.com/banzaicloud/dast-operator.git
cd dast-operator
make docker-build
make docker-analyzer

If you're using Kind cluster for testing, you will have to load images to it.

kind load docker-image banzaicloud/dast-operator:latest
kind load docker-image banzaicloud/dast-analyzer:latest

Clone dast-operator

git clone https://github.com/banzaicloud/dast-operator.git
cd dast-operator

Deploy dast-operator

make deploy

Examples

Deploy OWASP ZAP

Deploy example CR

kubectl create ns zaproxy
kubectl apply -f https://raw.githubusercontent.com/banzaicloud/dast-operator/master/config/samples/security_v1alpha1_dast.yaml -n zaproxy

Content of Dast custom resource:

apiVersion: security.banzaicloud.io/v1alpha1
kind: Dast
metadata:
  name: dast-sample
spec:
  zaproxy:
    name: dast-test
    apikey: abcd1234

Deploy the application and initiate active scan

kubectl create ns test
kubectl apply -f https://raw.githubusercontent.com/banzaicloud/dast-operator/master/config/samples/test_service.yaml -n test

Content of test_secvice.yaml:

apiVersion: apps/v1
kind: Deployment
metadata:
  name: test-deployment
  labels:
    app: nginx
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx
      secscan: dast
  template:
    metadata:
      labels:
        app: nginx
        secscan: dast
    spec:
      containers:
      - name: nginx
        image: nginx:1.16.0-alpine
        ports:
        - containerPort: 80
---
apiVersion: v1
kind: Service
metadata:
  name: test-service
  annotations:
    dast.security.banzaicloud.io/zaproxy: "dast-test"
    dast.security.banzaicloud.io/zaproxy-namespace: "zaproxy"
spec:
  selector:
    app: nginx
    secscan: dast
  ports:
  - port: 80
    targetPort: 80

Test the validating webhook

Deploy ingress with previously defined test-service backend.

kubectl apply -f https://raw.githubusercontent.com/banzaicloud/dast-operator/master/config/samples/test_ingress.yaml -n test

Example ingress definition:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test-ingress
  annotations:
    dast.security.banzaicloud.io/medium: "2"
    dast.security.banzaicloud.io/low: "5"
    dast.security.banzaicloud.io/informational: "10"
    nginx.ingress.kubernetes.io/rewrite-target: /
spec:
  rules:
  - http:
      paths:
      - path: /
        backend:
          serviceName: test-service
          servicePort: 80

Scan external URL

kubectl create ns external
kubectl apply -f https://raw.githubusercontent.com/banzaicloud/dast-operator/master/config/samples/security_v1alpha1_dast_external.yaml -n external

Content of DAST CR

apiVersion: security.banzaicloud.io/v1alpha1
kind: Dast
metadata:
  name: dast-sample-external
spec:
  zaproxy:
    name: dast-test-external
    apikey: abcd1234
  analyzer:
    image: banzaicloud/dast-analyzer:latest
    name: external-test
    target: http://example.com

Define OpenAPI definition as annotation in a service

  apiVersion: v1
  kind: Service
  metadata:
    name: test-api-service
    annotations:
      dast.security.banzaicloud.io/zaproxy: "dast-test"
      dast.security.banzaicloud.io/zaproxy-namespace: "zaproxy"
      dast.security.banzaicloud.io/apiscan: "true"
      dast.security.banzaicloud.io/openapi-url: "https://raw.githubusercontent.com/sagikazarmark/modern-go-application/master/api/openapi/todo/openapi.yaml"
  spec:
    selector:
      app: mga
      secscan: dast
    ports:
    - port: 8000
      targetPort: 8000

dast-operator's People

Contributors

ahma avatar dependabot[bot] avatar matyix avatar parsiya avatar pbalogh-sa avatar pregnor avatar

Stargazers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

Watchers

 avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar  avatar

dast-operator's Issues

[Webhook] check the scanner job is running, completed or not exist

Is your feature request related to a problem? Please describe.
Improve webhook checks in order to determine the scanner job state.

Describe the solution you'd like to see
If the scanner job has not completed, the webhook would decline to deploy the ingress object.

Chart install fails with no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1

Describe the bug
When trying to install the helm chart on minikube running Server Version: v1.22.1 it fails with this error:

Error: failed to install CRD crds/security.banzaicloud.io_dasts.yaml: unable to recognize "": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1"

Steps to reproduce the issue:

helm repo add banzaicloud-stable https://kubernetes-charts.banzaicloud.com
helm install dast-operator banzaicloud/dast-operator

Expected behavior
Expected chart to install

Screenshots
N/A

Additional context
minikube version: v1.23.0
helm version: version.BuildInfo{Version:"v3.6.3", GitCommit:"d506314abfb5d21419df8c7e7e68012379db2354", GitTreeState:"dirty", GoVersion:"go1.16.6"}

Helm chart for the operator

Is your feature request related to a problem? Please describe.
Create a helm chart.

Describe the solution you'd like to see
Create helm chart, and documentation.

Describe alternatives you've considered
Deploy the operator based on the README.md

webhook_config.yaml is missing in the repository

Describe the bug

The file webhook_config.yaml mentioned in one of the steps to install the dast-operator is missing in the repository.

Steps to reproduce the issue:

Expected behavior

Screenshots

Additional context

Error: INSTALLATION FAILED: failed to install CRD crds/security.banzaicloud.io_dasts.yaml: unable to recognize "": no matches for kind "CustomResourceDefinition" in version "apiextensions.k8s.io/v1beta1"

Describe the bug
Installation fails on k8s version 1.23

Steps to reproduce the issue:
#helm repo add banzaicloud https://kubernetes-charts.banzaicloud.com/
#helm install dast-operator banzaicloud/dast-operator

Screenshots
image

Additional context
#Kubectl version
Client Version: version.Info{Major:"1", Minor:"23", GitVersion:"v1.23.3", GitCommit:"816c97ab8cff8a1c72eccca1026f7820e93e0d25", GitTreeState:"clean", BuildDate:"2022-01-26T02:20:15Z", GoVersion:"go1.17.6", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"23+", GitVersion:"v1.23.3-2+d441060727c463", GitCommit:"d441060727c4632b67d09c9118a36a8590308676", GitTreeState:"clean", BuildDate:"2022-01-26T21:57:05Z", GoVersion:"go1.17.6", Compiler:"gc", Platform:"linux/amd64"}

Automated docker image build.

Is your feature request related to a problem? Please describe.
Build docker images in an automated way.

Describe the solution you'd like to see
When the dast-opeartor tagged docker build should be triggered.

Running `make deploy` returns an error

Describe the bug
Followed the installation steps and running make deploy returns an error.


➜  dast-operator git:(master) ✗ make deploy
cd config/manager && kustomize edit set image controller=reg.captainjustin.space/banzaicloud/dast-operator:latest
kustomize build config/default | kubectl apply -f -
namespace/dast-operator-system unchanged
error: error validating "STDIN": error validating data: [ValidationError(CustomResourceDefinition.spec.validation.openAPIV3Schema.properties.spec.properties.analyzer.properties.service.properties.spec.properties.ports): unknown field "x-kubernetes-list-map-keys" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps, ValidationError(CustomResourceDefinition.spec.validation.openAPIV3Schema.properties.spec.properties.analyzer.properties.service.properties.spec.properties.ports): unknown field "x-kubernetes-list-type" in io.k8s.apiextensions-apiserver.pkg.apis.apiextensions.v1beta1.JSONSchemaProps]; if you choose to ignore these errors, turn validation off with --validate=false
Makefile:43: recipe for target 'deploy' failed
make: *** [deploy] Error 1

Steps to reproduce the issue:

Running on Kubernetes 1.15.12

kubectl create namespace cert-manager
helm repo add jetstack https://charts.jetstack.io
helm repo update
kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v0.15.1/cert-manager.crds.yaml
helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v0.15.1
git clone https://github.com/banzaicloud/dast-operator.git
cd dast-operator
make deploy

Expected behavior
Should not error out and crash the install

Screenshots

Additional context

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.