Resources
Resources

Creating a Sandbox Uleska Account

Creating a Sandbox Account on Uleska

 

There are many people who want to check out how the Uleska Platform can automate their security tools and manage their vulnerabilities, without hooking it up (at first) to their company code repos and projects.  That's absolutely fine, and here we can suggest some good ways to try Uleska out for yourself. 

 

Taking Uleska for a test drive

 

Step 1: Create an Account

Creating a sandbox account is exactly the same as creating a normal account with Uleska.  You can setup an account using your SSO account on GitHub, GitLab, BitBucket (Atlassian) or Google, or you can click on the 'Create an Account' link to use your e-mail address to sign up.

Go to https://cloud.uleska.com/ to create an account.

signup

 

If you create a new account with your existing Github account Uleska will ask you if you want to add in existing repos - you can skip this if you wish and use the open source repos we suggest later.

You will then be presented with a 'Welcome to Uleska' screen where you'll be asked to set up the name of your Company. Enter any name you'll recognize here.

Untitled (15)

 

Step 2: Add Some Open Source Things to Test

Let's do some testing.  Depending on the type of testing you want to try out, there's three main ways to test with a sandbox:

  1. Static code security testing (through code repos)
  2. Dynamic project security testing (through URLs)
  3. Container security testing

Static Code Testing

There are a lot of deliberately vulnerable source code repos out that that are open source and free for anyone to try out.  Here we list a few repos that are good to try out, and suggested testing tools to use:

To set up testing with these repos and tools:
  • In the "Applications" menu from the left menu bar, click "Add new application"
  • Enter an Application Name and quick description, leave the rest of the values as default for now.
  • Click "Save".
  • On the application you've just added, add a version.

Static Application test 2

  • Enter a "Version Name" and enter the Code Repo you want to use (from above) as the "Source Code Origin" (note these are all public, so you don't need to setup any authentication this time round).
  • Click "Save and Continue" and go to the "Test Tools" tab.

Static Application test 4

  • Click on the Suggested Tools (again from above) and click "Save"

Static Application test 5

  • Now you're sandbox application and version are ready for testing.  Click the "Test Now" button to kick off the toolkit and track the progress.

Static Application test 6

  • When the testing has completed, click on the "Results" button to see the issues.

Static Application test 7

 

Dynamic Project Security Testing

There are not as many deliberately vulnerable dynamic projects out there (someone has to run them) but the Google Firing Range is very popular, and OWASP ZAP is a free dynamic testing tool you can setup for your sandbox:

To set up testing with Google Firing Range and OWASP ZAP:
  • In the "Applications" menu from the left menu bar, click "Add new application"
  • Enter an Application Name and quick description, leave the rest of the values as default for now.
  • Click "Save".
  • On the application you've just added, add a version.

Static Application test 2

  • Enter a "Version Name" and enter the target URL you want to use (from above) as the "Url" (note this is public, so you don't need to set up any authentication this time round).
  • Click "Save and Continue" and go to the "Test Tools" tab.

Static Application test 4

  • Click on the Suggested Tools (again from above) and click "Save"

Static Application test 5

  • Now you're sandbox application and version are ready for testing.  Click the "Test Now" button to kick off the toolkit and track the progress.

Static Application test 6

  • When the testing has completed, click on the "Results" button to see the issues.

Static Application test 7

 
 

Container Security Testing

Fortunately (or very unfortunately) there are plenty of open source container images out there that are vulnerable.  There are some projects that are deliberately vulnerable for you to try out.  See our steps to add container images and suggested testing tools to use:

To set up testing with containers:
  • In the "Applications" menu from the left menu bar, click "Add new application"
  • Enter an Application Name and quick description, leave the rest of the values as default for now.
  • Click "Save".
  • On the application you've just added, add a version.

Static Application test 2

  • Enter a "Version Name" and click "Save and Continue"
  • Click on the "Container" tab and enter the container image and tag you want to use (from above).  Since these containers are available on the public Docker, you won't need to enter a Connection.
  • Click "Test and Preview Manifest" to verify the components of the container configuration.
  • If the configuration is valid, you will see a green success dialog and the manifest preview will populate with the components of the container

Screenshot 2021-10-05 at 10.48.55

  • Click "Save" to confirm the Container configuration
  • Go to the "Test Tools" tab.

Static Application test 4

  • Click on the Suggested Tools (again from above) and click "Save"

Static Application test 5

  • Now you're sandbox application and version are ready for testing.  Click the "Test Now" button to kick off the toolkit and track the progress.

Static Application test 6

  • When the testing has completed, click on the "Results" button to see the issues.

Static Application test 7

 

 

Now We've Tested, Let's Play

Well done!  You've ran some testing toolkits in your sandbox account.  Now you can play with some of the vulnerability management and reporting available, and hook this testing up to a CI/CD.

Why not try some of the following: