Hi Suthagar, Thank you for your interest in this project.
It's good to hear you already have some understanding of the tools and technologies. I believe you have already searched a bit about the suggested materials in other threads related to the same project topic, if not you can find more details about the project details in [1]. The diagram you have drawn below and the proposed idea is really good, anyway, we have planned to do this automation in two steps. As the first step, you will have to create 3 separate docker images for 3 types of scanning and this will work independently. So the developer will be able to spawn new docker instance from any of above 3 and run the Security scan. In this level, developers should be able to provide source code from their own machine/repository. As the 2nd step we will add this to a cloud environment covered with a front end API with the above mentioned similar mechanism, and here the API should able to receive the source code from any source and need to initiate the security testing. As you have mentioned, it would be nice if we can have a mechanism to do the automation from the point where we have committed the source code into the repository. This can be done using the "git hooks" and we have already tested this in Jenkins. Please find more details regarding this in [2]. Anyway, running the automation process for per commit/merge will not be a great idea, we can have this as a bi-weekly process in the cloud environment as this complete process sometimes takes around 2/3 days for a complete scan. Also please note, during the dynamic scanning using ZAP, we have crawl through the URLs and build an URL tree in the tool, zap will learn using this URL tree and will do the security scanning based on this. Anyhow when automating this completely we won't be having any ways to create such URL trees and we need to create this tree inside the docker image by crawling through the URLs inside the container(Do a bit research to achieve this :) ) . As ZAP is already providing the docker image[3] you can tryout the dynamic scanning and security automation using it. We can have a hangout session to discuss more about the project if needed on a convenient time. [1] "[Dev] GSoC 2017 - Proposal 22: [Platform Security] Security Testing as a Service with Docker Containerization" @[email protected] [2] https://medium.com/@PrakhashS/automating-the-boring-stuffs-using-zap-and-jenkins-continues-integration-d4461a6ace1a#.dnyg13yko [3] https://github.com/zaproxy/zaproxy/wiki/Docker Regards, Prakhash On Sat, Mar 25, 2017 at 11:04 AM, Suthagar Kailayapathy < [email protected]> wrote: > > Hi all, > > I am K.Suthagar who is studying at Department of Computer Science and > Engineering, Faculty of Engineering, University of Moratuwa. An aspiring > young entrepreneur with good leadership skills and quick learning > abilities. Simultaneously I am doing some non-academic projects at my > startup Inncaps. I am also involved in Open Source Developments. You can > reach me using this following links, > > - LinkedIn : https://www.linkedin.com/in/ksuthagar > > - GitHub : https://github.com/suthagar23 > > - Website : http://suthagar.inncaps.com/ > > Here, I am contacting you about the Google Summer of Code Projects 2017, > When I come across the Google Summer of Code 2017 Project Ideas, I found > some great projects at WSO2 Page. After completion of the Proposals > reading, I have finalized and would like to contribute for the Proposal > 22: [Platform Security] Security Testing as a Service with Docker > Containerization project through GSoC 2017. > > I have referred some more about the mentioned technologies and I have some > previous experience about some of this technologies. > > - > > FindSecBugs - I am using this static testing to ensure my security > bugs and problems in Java Code using my IntelliJ Idea IDE and I am familiar > with this plugin for several months. > > > > - > > OWASP Dependency Check - I got some exact idea from a security > hackathon which was organized by Yarl IT hub. Through some previous > workouts, I have some better knowledge about the dependency checking with > OWASP. > > > > - > > OWASP ZAP - I haven't used it for my projects, but I have some basic > understanding about this dynamic security analysis method and I will try to > get familiar with this tool in coming days. > > > > - > > When considering the other technologies, I have good understanding in > Web Services(SOAP and REST), JSP and Docker(I haven’t use the docker a lot, > but can learn as soon as possible). > > > As I already familier with few of this technologies, I believe by > contributing to this project, I can learn more about Security automation > and Security testing. . > > I have already started looking into the work that have been already done > in this domain using the materials you have already shared. To continue the > work and get a clear understanding about the project I need your guidance > to develop my idea in large scale. > > I have prepared an idea for the Project according to the proposal > description. I would like to express the part of my idea here, > > The Project is going to be a Security Testing environment for the > developers, which will take the source code as the input and do all the 3 > types of security testing in parallel or sequentially . This environment > will be configured inside the docker and the developer should be able to > sporn the docker instances whenever required and do the needed testings. > > Here, I have shown a GUI, which will take the github repository URL as > the input to the Security testing environment, developer can choose the > testing that needs to be done. > > > > > > - > > In github repository, there will be lots of changes happening everyday > anyway the developers needs to run the Security testing for all the changes > before commits. But, I have one problem here, > > (1) as we are going to develop this as a security automation tool, is the > expectation is to build the tool as it could automatically get triggered > once the commit/merge is done ? > > > > - > > I have drawn a sample system diagram for the process. It would be > great if you could confirm the expected implementation should as below > > > [image: A.png] > > > I have mentioned my exact idea about the project domain, as I mentioned I > need your guidence to move forward, also I am planning to focus on docker > as I’m not much familiar with this topic. Please guide me to move forward, > successfully. > > I will start preparing my proposal once I get a clear picture about the > project idea > > Thank you for your valuable time and considerations. > > Regards, > > Suthagar. > > > -- > *K*AILAYAPATHY *S*UTHAGAR > Undergraduate, > Department of Computer Science & Engineering, University of Moratuwa, Sri > Lanka. > Address :154/2, Navalar Road, Jaffna > Mobile : 077 9543968 <555-77777> > > Email : [email protected] | [email protected] > <[email protected]>LinkedIn : http://www.linkedin.com/in/ksuthagar > <http://www.company.com/> > > > -- Prakhash Sivakumar Software Engineer | WSO2 Inc Platform Security Team Mobile : +94771510080 Blog : https://medium.com/@PrakhashS
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
