Skip to main content

Introduction and Goals

Initially, the goal of secureCodeBox was to provide a tool for easy integrating security test tools into your CI/CD pipeline to run against your web project. Some years ago we asked ourselves: Why only scan a single project? So a great idea was born: Consider the whole company as a project. Additionally, secureCodeBox can aid penetration testers in the recon and discovery phase of a security assessment. The purpose of secureCodeBox is not to replace the penetration testers or make them obsolete. We strongly recommend running extensive tests by experienced penetration testers on all your applications.

The following goals have been established for this project:

Priority
1The project shall be enhanced by features that are suitable to keep.
2The project is scalable and resource efficient (FaaS).
3The project implements additional scanners that are a useful addition for the current suite, limiting redundancy.
4The findings are displayed in a navigable way with least amount of duplication.
5SecureCodeBox starts new relevant scans in an agile way, based on previous findings.

Requirements Overview

The following use case diagram is only a visual overview of the most important use cases. We do not encourage to model all use cases in detail with UML because it is hard to grasp all nit-picky details of the official UML syntax. We just use bubbles and simple lines to show which actors need which use case scenario.

Use-case diagram

Roles

ActorDescription
TesterThis role is the actual end user performing scans and evaluating the results.
CIThis role is a system periodically performing scans e.g. after build and deployment.
OperatorThis role operates the secureCodeBox (mainly the k8s cluster and the Engine operator.

Use Cases

IdRequirementExplanation
UC1Define scanThe Tester defines scans with a target reachable by network and scan types to be executed against this target.
UC2Define cascading scanThe Tester defines a scan which triggers subsequent scans depending on the result of the current scan.
UC3Initiate scanThe Tester or CI triggers a defined scan.
UC4Get scan resultsThe Tester retrieves the scan results for further examination.
UC5Deploy scan in namespace to k8sThe Operator or Tester deploys a scan into a namespace to make it available for defining scans.
UC6Deploy scan cluster wide to k8sThe Operator deploys a scan cluster wide to make it available for defining scans.
UC7Deploy engine cluster wide to k8sThe Operator deploys the Engine operator cluster wide to make secureCodeBox available.

Quality Goals

Below, the most important qualities are described that this project strives for. The qualities are categorized using the ISO 25010 standard. Most of these qualities are derived from blog post The Architecture of secureCodeBox v2. For the entire list of quality-goals see Quality Requirements.

CategoryQualityDescriptionScenario
MaintainabilityModularAll components should be loosely coupled to easily swap them
Ease of integrationIt should be possible to easily integrate new scanners
Ease of ContributingSCB should be well documented
Ease of updatingThird-party software should be carefully chosen, for maintainabilitySC1
PortabilityAdaptableSCB Should run everywhere (local, VMs, Cloud, etc.)SC2
Performance EfficiencyResource EfficientSCB should scale to the available resourcesSC3
Time EfficientTasks should run parallel to optimize the use of resources
UsabilityEase of IntegrationThe definition and implementation of a scan process should be easySC4

Scenarios

IdScenario
SC1A third-party updates their software with a breaking change. Effort to support this update is minimal
SC2A company is running SCB in the cloud, due to limited resources on premise
SC3SCB is out of resources and a new scan is initiated. The scan is queued until resources are available
SC4A scan is easily created and started by writing and loading a config file

Stakeholders

CompanyNameRoleGitHub Account
iteratecRobert SeedorffProduct Owner@rseerdorff
Sven StrittmatterScrum Master & Developer@Weltraumschaf
Jannik HollenbachCore Developer@J12934
Max MaassCore Developer@malexmave
Ilyes Ben DlalaCore Developer@Ilyesbdlala
Rami SouaiCore Developer@RamiSouai
SecuraRalph MoonenCTON/A
Sander MaijersDeveloper@sanmai-NL
Stijn van EsDeveloper@Stijn-FE
Ali AltunDeveloperN/A