An evolving framework that intend to integrate security tests in DevOps, this new trend being called SecOps, DevSecOps, Continues security, Test Driven Security or probably other terms, with the minimum configuration applied by developers it checks and test the application after each commit/push.
Skinner bonds different technologies together, written in python it runs on Gitlab CI and works with Selenium and Burp Suite Pro to automate security testing to find low hangigng fruites as fast as possible in pipeline with minimum interaction by developers. so this way "easy to find problems" gets fixed at early stages of development and security team can focus on bigger harder to find problems.
Skinner tries to add a security aspect to everyday development life cycle, it tests only the portion of application that is just changed so it can be fast and creates new gitlab issue for worthy findings, its developer friendly!
The aim is automatically running everything after a push and recieve full report and new Gitlab tickets for critical security issues.
the main script (Skinner) will install and run in Gitlab CI pipeline.
at the minimum test case configuration, we have 3 stages:
- unittest
- deploy
- securitytest
Skinner stand in CI/CD life cycle is after staging deployment and before production deployment and delivery. it can run for master branch or other branches at any step of development depending on infrastucture decisions and needs.
Services are as follow:
- Gitlab CI pipeline, running stages that contains Selenium instructions, deploy stage and security stage running Skinner.
- Deployment server (deploy.intra).
- Selenium server (selenium.intra).
- Burp Suite Pro API server (burp.intra).
CI runs all the normal php unit test and also Selenium instructions that in this case can be found in (security_test.t.php), we are using Facebook php Selenium WebDriver it connects to selenium.intra and tries to browse through different pages of appliation, login and etc, because selenium browser's proxy is configured to use Burp Suite (burp.intra) to proxy the requested traffic so we will have browsed addressess in Burp Suite history that will be added to the scan scope by
Skinner at securitytest stage.
Connects to deploy.intra and pull latest changes.
Runs Skinner script, Skinner connects to burp.intra via Burp Suite Pro API and configure, manage scope and start the scan. status can be monitored via Gitlab CI web console and after the scan it lists all the founded issues, sends issue list and report to mattermost channel (Burp Scan Reports) and create new ticket for "High Severity" issues in Gitlab containing all details and also full report.
At the most basic use case a developer only need to specify the addresses that need to be scanned in selenium test file (security_test.t.php).
$driver->get('http://deploy.intra/installations');
If login is needed to browse restricted pages:
$driver->get('http://deploy.intra');
$targetUsername = 'elias@viidakko.fi';
$targetPassword = 'tropiikki';
$element = $driver->findElement(WebDriverBy::name('login'));
$driver->getKeyboard()->sendKeys($targetUsername);
$driver->getKeyboard()->pressKey(WebDriverKeys::ENTER);
$element = $driver->findElement(WebDriverBy::name('password'));
$driver->getKeyboard()->sendKeys($targetPassword);
$driver->getKeyboard()->pressKey(WebDriverKeys::ENTER);
- Make sure you have published deploy server for latest changes (
deploy.intra) selenium.intraburp.intra- Add Facebook php WebDriver to your project
- Write selenium test file
- Update gitlab-ci.yml containting deploy and securitytest stages
- Skin your app alive! xD
vmware burp rest api, for this you need to have Burp Suite Pro License.
After building burp-rest-api.jar and running it, you can access api endpoints via http://localhost:8090/swagger-ui.html
PS: this will change when Burp Suite official API released.
docker run -d -p 4444:4444 selenium/standalone-chrome
You can access selenium from browser via http://localhost:4444/wd/hub/static/resource/hub.html
The application should be accessible with browser, Platform and Environments is prefered to be be used.
Contains application username and password for selenium authentication. also mattermost and gitlab info can be changed.
For local development selenium instructions can be found at traffic.py file (function call and import lines need to be uncommented from main.py)
- Start/stop/reset burp with the script
- Manage burp configuration
- Burp with Selenium , require writing Selenium testcases
- Filter out only critical issues for gitlab issue
- Add issue to gitlab after scan
- Better logs and gitlab ci compatible progress bar
- publish Skinner and proxyplugin.zip packages for debian
- handling Burp job queue
- Add issues and scans to database for false positive check and security intelligence (issueId, scanId)