1
0
Fork
You've already forked demo-labs-spring
0
No description
  • HTML 55%
  • Java 45%
Find a file
Deven Phillips 897c6c893d
Merge pull request #1 from logandonley/patch-1
Fixing one of the template references
2018年01月02日 10:25:34 -05:00
inventory Fixing one of the template references 2018年01月02日 10:16:14 -05:00
src Retrofit to JUnit 4 2017年12月05日 14:08:48 -05:00
.gitignore Updated Jenkinsfile for JaCoCo coverage report 2017年12月01日 15:18:01 -05:00
DemoScript.md Added initial demo script 2017年12月08日 20:12:46 -05:00
Jenkinsfile Fix pvc for Maven slave 2017年12月06日 15:29:58 -05:00
pom.xml Copy new settings from Step_2 2017年12月06日 12:07:20 -05:00
README.md Fixed remaining issues 2017年12月05日 11:09:51 -05:00
requirements.yml Updated Jenkinsfile for JaCoCo coverage report 2017年12月01日 15:18:01 -05:00

Innovation Labs Security & Compliance Demo

Overview

This project demonstrates some of the features we can provide in a Labs residency around security and compliance analysis in a DevOps environment.

  • OWASP Zed Attack Proxy
  • OWASP Dependency Check
  • SonarQube Static Analysis

Prerquisites

  • Ansible (>= 2.4)
  • Ansible-Galaxy
  • OpenShift Container Platform CLI (oc)
  • An OpenShift cluster where this demo can be deployed (OCP >= 3.6)

Deploying this demo

  • This demo takes some time to prepare/deploy
  • This demo cannot be deployed LIVE during a talk
  1. Check out this repository
  2. Install casl-ansible using Ansible Galaxy
    • ansible-galaxy install --roles-path . -r requirements.yml
  3. Log on to an OpenShift cluster where the demo will be run
    • oc login -u <username> <OCP Master URL>
  4. Deploy the application and CI/CD environment to OpenShift
    • ansible-playbook --connection=local -i inventory casl-ansible/playbooks/openshift-cluster-seed.yml

Running this demo

  1. When the demo is first deployed, the CI/CD environment will be deployed
    • Could take as long as 30 minutes
  2. Once the CI/CD environment is deployed, the Spring application will be built
    • Manual approval to deploy to the Demo environment will be required
  3. The initial build of the application WILL fail
    • This is intentional... The initial build has insecure dependencies and insecure web semantics
  4. The first step is to show the failed build and show the reasons for the failed build
    • Log in to Jenkins, display the OWASP Dependency Check Report
  5. Fix the dependency check problem by switching to the Step_1 branch
  6. Trigger the pipeline to rebuild
  7. Show that the build failed because of the ZAP scan finding insecure practices in the web app
  8. Fix the ZAP scan issue by switching to the Step_2 branch
  9. Trigger the pipeline to rebuild
  10. Show that the build now passes both scans