Skip to content

Commit

Permalink
Add in an exercises doc that show how to fork the repo for GHAS learning
Browse files Browse the repository at this point in the history
  • Loading branch information
austimkelly committed Jan 10, 2024
1 parent d5d53cc commit 8b1c5ad
Show file tree
Hide file tree
Showing 4 changed files with 84 additions and 11 deletions.
28 changes: 17 additions & 11 deletions README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
# swiss-cheese
🧀🧀 A demo repository of simple OWASP Top 10 type of vulnerabities in Python. Like swiss-cheese, this code is full of holes 🧀🧀
🧀🧀 A demo repository of simple OWASP Top 10 type of vulnerabilities in Python. Like swiss-cheese, this code is full of holes 🧀🧀

![License](https://img.shields.io/github/license/austimkelly/swiss-cheese.svg)
![GitHub Actions](https://github.com/austimkelly/swiss-cheese/workflows/CodeQL/badge.svg)
Expand All @@ -10,12 +10,16 @@

The code samples here here several purposes:

1. For application security and training developers, it's easier to see an exploitable vulnerability in code that you can actually reproduce. Too many times vulnerabilities are too abstract, not reproducible, or reachable thus making alerts largely ignored _en masse_. Capture the Flag (CTF) exercises great and get developers into the offensive mind-set, but they don't fully help developers understand the coding errors thus improving code review quality on PRs.
1. For application security and training developers, it's easier to see an exploitable vulnerability in code that you can actually reproduce. Too many times vulnerabilities are too abstract, not reproducible, nor reachable, thus making alerts largely ignored _en masse_. Capture the Flag (CTF) exercises great and get developers into the offensive mind-set, but they don't fully help developers understand the coding errors which in turn improves code review quality on PRs.
2. Static Application Security Testing (SAST) - SAST tools are notoriously noisy, don't demonstrate reachability, and can't find more complex interactions. SAST tools have their place, but should only be used as a backstop after good design, threat modeling, and peer code reviews. This repository runs Github Advanced Security CodeQL scanner to see how well they do with finding what should be very simple OWASP Top 10 vulnerabilities.
3. AI Assistants, such as Github's CoPilot - Most developers have likely used some kind of LLM (ChatGPT, CoPilot) by this point to generate code. I've also used these examples to have CoPilot do a security analysis of simple programs with simple prompts:
3. Using an AI assistant to help with Security analysis where SAST tooling falls short. SAST tools can't find and fix everything, but some basic prompts can help you find and fix vulnerabilities, such as:
* What security concerns are there in this script?
* How would you recommend fixing vulnerability X?
4. Will ChatGPT generate insecure code and testing techniques which is may deem unethical?
4. Will AI assistants such as ChatGPT & Copilot generate insecure code and testing techniques which it may deem unethical?

## GitHub Advanced Security Exercises

This repository is also used as a training exercise for GitHub Advanced Security (GHAS) features. See [GHAS Exercises](./doc/ghas-exercises.md) for more details.

# Code Authors

Expand Down Expand Up @@ -43,10 +47,12 @@ Follow these steps to install the necessary dependencies for the project:

# Demo Listing & References

* [broken-auth](./broken-auth/) - Demonstrates a session management vulnerability if an attacker get ahold of an authentication session token. See also [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html).
* [idor](./idor/) - Demonstrates broken access control for easily guessable IDs and no authentication. See also [OWASP IDOR](https://owasp.org/www-chapter-ghana/assets/slides/IDOR.pdf).
* [sqli](./sqli/) - Demonstrates standard SQL Injection being able to dump a database from a form field. See also [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection).
* [ssrf](./ssrf/) - Demonstrate a server-side request forgery tricking the app to making an HTTP request to a not-allowed 3rd party domain. See also [OWASP Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery).
* [xss](./xss/) - Demonstrates executing arbitrary javascript inside the application. See also [OWASP Cross Site Scripting](https://owasp.org/www-community/attacks/xss/)
* [secrets](./secrets/) - An example of leaking a secrets file or environment variable configuration. These should all be caught by [Github Secrets Push Protection](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations). See also [OWASP Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html).
* [supply-chain](./supply-chain/) - An example of a supply chain vulnerability in log4j. This one is to demonstrate dependency vulnerabilities and a security advisory. There are several OWASP Top 10 here: security misconfiguration, using components with known vulnerabilities, insufficient logging and monitoring. See also [OWASP Supply Chain Vulnerabilities](https://owasp.org/www-project-kubernetes-top-ten/2022/en/src/K02-supply-chain-vulnerabilities).
| **Demo Link** | **Description** | **References** |
| --- | --- | --- |
| [broken-auth](./broken-auth/) | Demonstrates a session management vulnerability if an attacker get ahold of an authentication session token. | [OWASP Session Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Session_Management_Cheat_Sheet.html) |
| [idor](./idor/) | Demonstrates broken access control for easily guessable IDs and no authentication. | [OWASP IDOR](https://owasp.org/www-chapter-ghana/assets/slides/IDOR.pdf) |
| [sqli](./sqli/) | Demonstrates standard SQL Injection being able to dump a database from a form field. | [OWASP SQL Injection](https://owasp.org/www-community/attacks/SQL_Injection) |
| [ssrf](./ssrf/) | Demonstrate a server-side request forgery tricking the app to making an HTTP request to a not-allowed 3rd party domain. | [OWASP Server Side Request Forgery](https://owasp.org/www-community/attacks/Server_Side_Request_Forgery) |
| [xss](./xss/) | Demonstrates executing arbitrary javascript inside the application. | [OWASP Cross Site Scripting](https://owasp.org/www-community/attacks/xss/) |
| [secrets](./secrets/) | An example of leaking a secrets file or environment variable configuration. | [Github Secrets Push Protection](https://docs.github.com/en/enterprise-cloud@latest/code-security/secret-scanning/push-protection-for-repositories-and-organizations), [OWASP Secrets Management Cheat Sheet](https://cheatsheetseries.owasp.org/cheatsheets/Secrets_Management_Cheat_Sheet.html) |
| [supply-chain](./supply-chain/) | An example of a supply chain vulnerability in log4j. This one is to demonstrate dependency vulnerabilities and a security advisory. There are several OWASP Top 10 here: security misconfiguration, using components with known vulnerabilities, insufficient logging and monitoring. | [OWASP Supply Chain Vulnerabilities](https://owasp.org/www-project-kubernetes-top-ten/2022/en/src/K02-supply-chain-vulnerabilities) |
67 changes: 67 additions & 0 deletions doc/ghas-exercises.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,67 @@
# Summary

This repository massages most of the Github Advanced Security (GHAS) features into a single repository:

* Dependabot alerts
* Secrets scanning,
* Code scanning with CodeQL
* Security advisories
* Security policy

When you fork a repository, all GHAS features are disabled by default. Hence, this repo serves as a good way to toggle most of the features of GHAS yourself and walk through some of the existing configurations.

# Goals

You should get core security configuration of the main features of Github Advanced Security. You be able to configure all scanning features and understand basic configuration options, code scanning actions, and YAML config options.

You should be able to see security alerts and be able to triage and respond to them.

# Requirements

If you fork this repository in a public account, you will have access to all the features in this exercise. GHAS is free on public accounts. See also [GHAS pricing](https://docs.github.com/en/enterprise-cloud@latest/billing/managing-billing-for-github-advanced-security/about-billing-for-github-advanced-security)

# Set-up

1. Fork this repository to your own account.
2. Navigate to `https[X]://github.com/{your account id}/swiss-cheese/settings/security_analysis`. You will see the unset security settings:

![GHAS Settings](./img/empty_security_settings.png)

# Configure the settings

**TODO** This section will need specific tasks and configurations to review. Additional references to Github docs as well.

1. Create security policy

* TODO

2. Enable Dependabot alerts

* TODO

3. Enable Code scanning with CodeQL

* TODO

4. Enable secret scanning

* TODO

5. Create a security advisory

* TODO

6. Review

* TODO

# Results

If you have the configured everything correctly you should have the same security alerts as the public repository your forked from. The exception is the Security Advisories, where are not copied to a forked repository.

![GHAS Completed Settings](./img/ghas-fully-configured.png)


# References

* [GHAS Developer Training](https://github.com/services/ghas-developer-training) - An outline of the core concepts suggested by GitHub.
Binary file added doc/img/empty_security_settings.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added doc/img/ghas-fully-configured.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.

0 comments on commit 8b1c5ad

Please sign in to comment.