SecureCodeBox - continuous secure delivery out of the box

Be honest, how often do you test your IT systems for security vulnerabilities? Once a year? After every release? Do you test your systems at all? Many companies are aware of the economic risks related to cyber attacks but they still often only pay lip service to IT security. Consequently, if there really is an attack on the system, the result is sheer panic.

IT security is gaining increasing importance due to digitalisation as this means an increase in targets for possible attacks. The attacks are becoming more complex as well as more professional. The technological advances of the attack methods and scenarios are growing rapidly along with the motivation and the attraction for attackers. Another factor are time resources: Generally, developers do not have enough time to take care of all security topics – highly motivated attackers on the other hand are available 365 days a year!

A key factor for the success of digitalisation is to create an awareness for security and to continuously incorporate security as part of the agile software development process. However, particularly in the context of Continuous Delivery, companies often lack suitable resources and technologies to carry out continuously automated security tests. Additionally, it is often cost and time intensive to implement automated security analyses for IT systems. Existing solutions often generate high set-up and infrastructure costs. This is why we have developed our own tool: the SecureCodeBox.

This allows us to use the tools and scanners of the attackers, automate them and use them to test the relevant systems. That way, security gaps can be discovered early, developers receive constant feedback and important security aspects will be kept in mind.

The aim of the SecureCodeBox is to provide an open and flexible comprehensive solution for automated security tests and make them usable “out of the box“. Technologies such as Docker, Camunda, Elasticsearch & Kibana as well as established security tools such as OWASP ZAP, Nmap and SSLyze form the technical basis for this as they are able to carry out automated dynamic weakness tests. 

Thanks to its open structure SecureCodeBox is not tied to particular tools: That way, any existing security-scan solutions (to the extent they can export results) as well as custom tests testing individual (e.g. REST-) interfaces, can be integrated. 

How does the scanning process work?

1. Configuration:

  • Define the goal of the scan
  • Define the extent of the security tests

2. Spider:

  • Determines all URLs of a website as a site map

3. Scanner:

  • For every URL of the site map, a multitude of security tests is carried out
  • Further scanners / tools: Portscanner, SSL-Analyser, etc.

Overview of the features

We are looking for beta testers! If you are interested in the SecureCodeBox or the area of security, please contact us via e-mail. We will keep you up to date.