Contains the materials used for the blog post about possible validation after a web app deployment.
The folder app contain the NodeJS sample application against all post-deployment validation are applied.
Use the command below to start the app - it will be accessible on http://localhost:5000 :
$ cd app
# npm install
$ npm start
Listening on 5000
...This Dockerfile provides a dedicated ephemeral docker image that can be used to run presented post deployment security validations (and other ones). The objective is to prevent to overload CI/CD build agent with tools and also prevent tools version conflict.
The folder /share inside the image is present to allow data sharing between the container and the host.
Use the following commands to use the image:
# Build the image
$ docker build -t excellium/toolbox .
# Instanciate a temporary container to run a validation leveraging tools inside the box
$ docker run --rm -v "/host_share_folder:/share" -i -t excellium/toolbox /bin/bash /home/validator/testssl/testssl.sh https://myapp.com
$ docker run --rm -v "/host_share_folder:/share" -i -t excellium/toolbox /home/validator/venom run /share/recipe.yml
# Instanciate a temporary container to have a shell into it
$ docker run --rm -v "/host_share_folder:/share" -i -t excellium/toolbox /bin/bash- Folder docs: Contain an example of HTML report (generated using aha tools) of the validations for the sample application.
- Folder post: Contain pictures used for the blog post.
- File validate.sh: Shell script of a POC containing all post deployment security validations proposed in the blog post. It is executed by this workflow.
- File recipe.yml: venom test plan to demonstrate a migration from a shell script to a descriptive test plan of the shell script above.
- File content_excluded_from_deployment.txt: Dictionary of file not expected to be present on the deployed application and used by validate.sh shell script.
- File validate_cookie_properties.py: Python3 script performing validation on the cookies present in an HTTP response.