Application Security Workflow Automation using Docker and Kubernetes
This project contains proof of concept implementation of a solution consisting of scripts, Dockerfile
, Kubernetes deployment specs etc. that together deploys a system that can
- Orchestrate 3rd party security tools
- Transform tool output (JSON) and generate event triggers
- API endpoints to submit input and collect aggregated result
- Try out the solution by following this document
- Read the Internals doc to get an idea of data schema etc.
- Read the Development doc to get an idea on local setup for development.
- Refer to Tasks
- Kubernetes cluster
- kubectl (configured to use cluster)
- helm
git clone https://github.com/appsecco/kubeseco
cd kubeseco
Ensure kubectl
is configured to use the Kubernetes cluster where you want to deploy the setup. Execute the following script to setup the cluster.
./setup.sh
Refer to
Under The Hood
section in this document for details on what the script does.
To setup a Kubernetes cluster in Google Cloud and configure
kubectl
, refer tocluster_create_gcp.sh
script in this repository.
GCP_PROJECT=<Your-Project-Name> ./cluster_create_gcp.sh
kubectl port-forward service/api-service 3000
curl -H "Content-Type: application/json" \
-d '{"asset_type":"domain", "asset_value":"example.com"}' \
http://localhost:3000/scans
curl http://localhost:3000/scans/:scan_id
:scan_id is obtained after successful scan submission
- NATS
- Minio
- API Service
- Feedback Processor
- Security Tools (Containers)
- API service exposes HTTP endpoint to submit scan
- On submission, it pushes input to NATS
- Security Tools listening on corresponding NATS topic is triggered
- Output is stored in Minio
- Output JSON is processed by Feedback Processor to generate new input (feedback loop)
Minio
- Identify security tool that produce JSON output
- Write
Dockerfile
to package security tool as a container - Include
Tool Adapter
as entrypoint program for the container - Push docker image to your preferred registry
- Write Kubernetes deployment spec (YAML)
- Deploy to Kubernetes
- (Optional) Write
rule
to process tool output JSON and generate feedback event - (Optional) Update
feedback-processor
in cluster
- No state management.
- There is no way to know when all activities of a scan is finished
- Bulk input
- The system supports sending single input events to each security tools. For example 1 domain/url/host instead of an array of inputs
- Topic persistence
- All inputs are lost if the Pod (Security Tool) processing the input is evicted/killed
- No de-duplication
- Different security tools may produce overlapping result. No common data schema or parsing of JSON output produced by individual security tools.