DevSecOps Lab
Key Tasks to Complete
-
1. Add CI/CD Variable APP_URL - On left hand sidebar navigate through Settings -> CI/CD
- Scroll down and expand Variables
- Click Add variable
- Enter APP_URL as the Key, paste the HTTP URL we copied locally earlier as the Value, ensure Protect Variable is not selected, and finally click Add variable
-
2. Adding Policy Management - On the left hand navigation menu hover/click Security & Compliance, then on the resulting menu click Policies
- On the resulting policy page click New Policy
- On the Choose a policy type menu within the Scan result policy section click Select policy
- Now you should be on the Policy details page. Enter the name to be Require_Approval, Description to be "Requires approval for any vulnerability!", then make sure that Policy status is checked.
- Scroll down to the Rules section and for the scanners & severity dropdowns where it says Container Scanning & Critical make sure Select All or every option is selected for each.
- Then under actions (you may have to scroll again) in search users or groups enter the id provided by your instructor.
- At the end of the form click Configure with a merge request
- On the resulting page click Merge
-
3. Adding an Issue and Linked Merge Request -
Using the breadcrumbs at the top of the page click your group name to be brought to the group page. Next click the DevSecOps Workshop 2022 project to be brought back into your project.
Ensure you follow the step above to be brought to your project and not the security policy project
-
On left hand navigation menu click Issues, then on the following screen click New Issue
-
In the Title field label the issue as "Add a new route & security testing to the api", provide a description, and finally click Create Issue
-
On the Issue screen click Create Merge Request, then click it again on the following page
-
Click Mark as ready, then click Open in Web IDE
-
-
4. Edit .gitlab-ci.yml File -
Open the gitlab-ci.yml file
-
Feel free to use the gitlab-ci-reference.yml file to reference against the changes you are making to the .yml file
-
Add these 6 value pairs to the variables section or the .yml:
# Variables for DAST scanning DAST_WEBSITE: $APP_URL DAST_FULL_SCAN_ENABLED: "true" DAST_BROWSER_SCAN: "true" # Fuzzing Variables FUZZAPI_PROFILE: Long-100 FUZZAPI_OPENAPI: test_openapi.v2.0.json FUZZAPI_TARGET_URL: $APP_URL
-
Also add test,cfuzz,dast,fuzz in the stages section of the .yml:
- build - unit - test - cfuzz - review - staging - canary - production - dast - fuzz - incremental rollout 10% - incremental rollout 25% - incremental rollout 50% - incremental rollout 100% - cleanup
-
Include the following templates in the includes section of the .yml:
# adding the various security templates needed for our out of the box solution - template: Security/SAST.gitlab-ci.yml - template: Security/Dependency-Scanning.gitlab-ci.yml - template: Security/License-Scanning.gitlab-ci.yml - template: Security/Container-Scanning.gitlab-ci.yml - template: Security/Secret-Detection.gitlab-ci.yml - template: Code-Quality.gitlab-ci.yml - template: Security/DAST.latest.gitlab-ci.yml # adding fuzz templates - template: Coverage-Fuzzing.gitlab-ci.yml - template: API-Fuzzing.gitlab-ci.yml
-
Add the gemnasium-python-dependency_scanning stage to the bottom of the file:
gemnasium-python-dependency_scanning: before_script: - apt update - apt install libmariadb3 libmariadb-dev sqlite3 libsqlite3-dev -y
-
Add the my_fuzz_target stage right below the gemnasium-python-dependency_scanning stage we just added:
my_fuzz_target: image: python:latest variables: COVFUZZ_PROJECT_PATH: $CI_PROJECT_URL extends: .fuzz_base stage: cfuzz script: - pip install --extra-index-url https://gitlab.com/api/v4/projects/19904939/packages/pypi/simple pythonfuzz - ./gitlab-cov-fuzz run --engine pythonfuzz -- fuzz.py
-
-
5. Update Dockerfile, requirements.txt, & more! -
Select the DockerFile and change the first line from FROM python:3 to From python:3.7. Reference Snippets -> vulnerable_Dockerile.txt if you get stuck.
-
Select requirements.txt and add django==2.0.0 to the end of the list. Reference Snippets -> vulnerable_requirements.txt if you get stuck.
-
Select fuzz.py and first add the line bellow to the top of the file:
from html.parser import HTMLParser
-
Then replace pass in the fuzz function on line 6 with the code below:
try: string = buf.decode("ascii") parser = HTMLParser() parser.feed(string) except UnicodeDecodeError: pass
-
Select test_openapi.v2.0.json and on line 8 locate the "APP_URL" string. Here we want to paste in our URL that we copied beforehand except this time we do want it to be without HTTP(S).
-
Then navigate to notes -> routes.py and add the code snippet below to the end of the file. Reference Snippets -> vulnerable_routes.txt if you get stuck:
@note.route('/get-with-vuln', methods=['GET']) def get_note_with_vulnerability(): id = request.args.get('id') conn = db.create_connection() f = open("danger_zone.txt", "w") f.write("Add some text") f.close() os.chmod("danger_zone.txt", 777) with conn: try: return str(db.select_note_by_id(conn, id)) except Exception as e: return "Failed to delete Note: %s" % e
-
Lastly in run.py on line 6 we want to add the below line. Reference Snippets -> vulnerable_run.txt if you get stuck:
aws_key_id = "AKIAIOSF0DNN7EXAMPLE"
-
-
6. Commit Changes - On the left side menu click commit
- Select the branch related to our previously created MR and add a small commit message
- Click Commit to commit the new code
- Your instructor will now show slides on shifting left