In a previous post, I explained the quick opportunities about adding more security within your organisation.
In this post, I will go through all the process of adding a Static Application Security Testing software to your pipeline in order to scan your code for security vulnerabilities.
That Software is Checkmarx.
1. What is Checkmarx ? π€
Checkmarx is an Application Security Testing and Static Code Analysis Solution.
It scans source code, identifies security vulnerabilities within it, and provides remediation with sample code.
Features include :
- Static Application Security Testing
- Dependency Scanning
- Interactive Application Security Testing
- Runtime Application Security Testing.
Checkmarx in a Software Development Lifecycle
Compared to other similar security tools, Checkmarx is flexible, integrates with other popular CI/CD tools, and supports a wide range of programming languages.
On the flipside, as an enterprise-level software, it is not cheap. πΈ
2. What is the Process ? π€
To use a software like Checkmarx to its best, you have to automate it within your CI/CD pipeline.
The point is to check the security of all your repositories everytime you are releasing something (either a major version or on a more frequent basis).
Nevertheless, remember that this analysis will require work from your teams to triage the identified vulnerabilities and correct them.
So do it at a sustainable pace regarding your team capabilities.
2.1. Analyse the Codebase Locally on your Computer π»
- Download the repository (or repositories)
- Start a scan using the Checkmarx Command Line Interface
- Check the scan result on the Checkmarx interface
2.2. Analyse the Codebase within your CI/CD Pipeline π₯οΈ
I assume you are using Jenkins on your CI/CD pipeline.
- A hook on Jenkins starts a script
- That script downloads the repository
- That script starts a scan on the downloaded repository
- That script alerts if something went wrong during the scan (through return code)
- Checkmarx alerts on the scan result
You can use that tool to mass clone the repositories on your machine,
Shosta / DLBitbucketRepos
Download all the repositories that you can access on Bitbucket to easily statically analyze the security of it and data leakage.
DLBitbucketRepos
Download all the repositories that you can access on Bitbucket
This program is made to clone all the repositories that you have on Bitbucket at once. It is very usefull if you want to statically analyze the code on a security perspective for instance.
You can look for Certificate files, leaked information (like password, logins, keys, etc...).
And more than that, you can look in the git history if some information where leaked in the past, even if they are not available in the code at the moment.
3. How to Use the Checkmarx Command Line Interface ? π¨βπ»
It is very easy to start a scan from your machine.
Download the Checkmarx CLI Plugin on the following links :
Install the Checkmarx CLI PLugin ("CxConsolePlugin") to any folder that you feel appropriate.
Then, to start a scan, you just have to fire the runCxConsole.sh
script which is inside the "CxConsolePlugin" folder.
CxConsolePlugin Usage :
runCxConsole.sh Scan -Projectname "SP/Cx/Engine/AST/SecurityScanTest" -CxServer https://your_url -cxuser $checkmarxLogin -cxpassword $checkmarxAppPassword -locationtype GIT -locationprivatekey $locationPrivateKey -locationurl $locationUrl locationbranch $locationBranch -preset All -comment 'Scan de test' -reportpdf ~/SecurityScanTest.pdf
3.1. Good Security Practices π
As you can see in the command above, at some point you have to fill in your Checkmarx login and password (-cxuser
and -cxpassword
).
It is good security practice to never ever write your password in clear text in your terminal.
Just because, anyone (or any malware) can just look at your command-line history on your terminal and then have your password available in plain text.
Learning by doing. π
Try clicking
ctrl+r
on your terminal and then look forgit clone
.
Or you can tryhistory | grep "git clone"
(as you frequently leak your passwords through git commands).
That is why you MUST never enter your password on your terminal as anyone can then have access to it.
To avoid leaking passwords in the terminal history, I developed a short script to start a Checkmarx's scan using its CLI plugin.
You can find it in the following Github repository (feel free to fork it and improve it π).
Shosta / CheckmarxAutomation
How to Automate Checkmarx Scans
CheckmarxAutomation
How to Automate Checkmarx Scans
Script Usage :
./CheckmarxAutomation.sh -h
usage: CheckmarxAutomation
[[-u|--cxuser] <username>] Your Login on Checkmarx
[-h|--help]
Using It :
./CheckmarxAutomation.sh -u remi
Please, Fill in your Checkmarx Password :
So that way, your password is not going to leak in your terminal history. ππΌ
3.2. Issues Workarounds β
1. SSH Private Keys not Found
You are using SSH to connect to your repository, but Checkmarx cannot find the private key, as you can see below :
[2019-09-25 09:42:00,000 FATAL] Command parameters are invalid: Private key file is not found in: ~/.ssh/PrivateKey
If you are using ssh keys to log to your Git repository (and you should π), you MUST use an absolute path to describe it on the -locationprivatekey
parameter.
2. Checkmarx Server not Available
The Checkmarx server cannot be accessed from your machine, as you can see below :
[2019-09-25 09:42:00,000 ERROR] Failed to validate server connectivity: Cx web service is not available at: https://your_server/
To solve this issue, you have to be sure that Checkmarx is allowed from your proxy and use the Checkmarx server's IP address.
Tell me if you think that adding that kind of solution is something that you are thinking about.
And if you are already using it, tell me if you find it useful and if it is improving the level of security of your application.
Video produced by Wild & Secure, your consulting firm to all things security and real estate.
If you want to receive weekly quality content about security, subscribe to our newsletter on our website.
Top comments (0)