Creating a Sandbox Account on Uleska

There are many people who want to check out how the Uleska Platform can automate their security tools and manage their vulnerabilities, without hooking it up (at first) to their company code repos and projects.  That's absolutely fine, and here we can suggest some good ways to try Uleska out for yourself. 

Taking Uleska for a test drive

Step 1: Create an Account

Creating a sandbox account is exactly the same as creating a normal account with Uleska.  You can setup an account using your SSO account on GitHub, GitLab, BitBucket (Atlassian) or Google, or you can click on the 'Create an Account' link to use your e-mail address to sign up.

Go to https://cloud.uleska.com/ to create an account.

If you create a new account with your existing Github account Uleska will ask you if you want to add in existing repos - you can skip this if you wish and use the open source repos we suggest later.

You will then be presented with a 'Welcome to Uleska' screen where you'll be asked to set up the name of your Company. Enter any name you'll recognize here.

Step 2: Add Some Open Source Things to Test

Let's do some testing.  Depending on the type of testing you want to try out, there's three main ways to test with a sandbox:

1. Static code security testing (through code repos)
2. Dynamic project security testing (through URLs)
3. Container security testing
   
   

Static Code Testing

There are a lot of deliberately vulnerable source code repos out that that are open source and free for anyone to try out.  Here we list a few repos that are good to try out, and suggested testing tools to use:

• Damn Small Vulnerable Web
  • Code Repo: https://github.com/stamparm/DSVW.git
  • Suggested Tools:
    • Semgrep
    • Bandit
    • Whispers
    • OWASP Dependency Checker

• Vulnerable Django Application
  • Code Repo: https://github.com/Contrast-Security-OSS/DjanGoat.git
  • Suggested Tools:
    • Bandit
    • Checkov
    • OWASP Dependency Checker
    • Sonar-Scanner: Setup instructions here
    • Semgrep (with Django rules turned on)

• •  
• Vulnerable Web Application Security Lab
  • Code Repo: https://github.com/fportantier/vulpy.git
  • Suggested Tools:
    • Bandit
    • Sonar-Scanner: Setup instructions here
      
      
• Vulnerable API
  • Code Repo: https://github.com/mattvaldes/vulnerable-api.git
  • Suggested Tools:
    • Bandit
    • Semgrep
    • OWASP Dependency Checker
    • Sonar-Scanner: Setup instructions here

To set up testing with these repos and tools:

• In the "Applications" menu from the left menu bar, click "Add new application"
• Enter an Application Name and quick description, leave the rest of the values as default for now.
• Click "Save".
• On the application you've just added, add a version.

• Enter a "Version Name" and enter the Code Repo you want to use (from above) as the "Source Code Origin" (note these are all public, so you don't need to setup any authentication this time round).
• Click "Save and Continue" and go to the "Test Tools" tab.

• Click on the Suggested Tools (again from above) and click "Save"

• Now you're sandbox application and version are ready for testing.  Click the "Test Now" button to kick off the toolkit and track the progress.

• When the testing has completed, click on the "Results" button to see the issues.

Dynamic Project Security Testing

There are not as many deliberately vulnerable dynamic projects out there (someone has to run them) but the Google Firing Range is very popular, and OWASP ZAP is a free dynamic testing tool you can setup for your sandbox:

• Google Firing Range
  • Target URL: https://public-firing-range.appspot.com:443 
  • Suggested Tool:
    • OWASP ZAP: Setup instructions here

To set up testing with Google Firing Range and OWASP ZAP:

• In the "Applications" menu from the left menu bar, click "Add new application"
• Enter an Application Name and quick description, leave the rest of the values as default for now.
• Click "Save".
• On the application you've just added, add a version.

• Enter a "Version Name" and enter the target URL you want to use (from above) as the "Url" (note this is public, so you don't need to set up any authentication this time round).
• Click "Save and Continue" and go to the "Test Tools" tab.

• Click on the Suggested Tools (again from above) and click "Save"

• Now you're sandbox application and version are ready for testing.  Click the "Test Now" button to kick off the toolkit and track the progress.

• When the testing has completed, click on the "Results" button to see the issues.

Container Security Testing

Fortunately (or very unfortunately) there are plenty of open source container images out there that are vulnerable.  There are some projects that are deliberately vulnerable for you to try out.  See our steps to add container images and suggested testing tools to use:

• Damn Vulnerable Web Application Docker Container
  • Docker image: vulnerables/web-dvwa:latest
  • Suggested Tool:
    • Clair: Setup instructions here
• Older Version of Alpine
  • Docker image: alpine:2.6
  • Suggested Tool:
    • Clair: Setup instructions here

To set up testing with containers:

• In the "Applications" menu from the left menu bar, click "Add new application"
• Enter an Application Name and quick description, leave the rest of the values as default for now.
• Click "Save".
• On the application you've just added, add a version.

• Enter a "Version Name" and click "Save and Continue"
• Click on the "Container" tab and enter the container image and tag you want to use (from above).  Since these containers are available on the public Docker, you won't need to enter a Connection.
• Click "Test and Preview Manifest" to verify the components of the container configuration.
• If the configuration is valid, you will see a green success dialog and the manifest preview will populate with the components of the container

• Click "Save" to confirm the Container configuration
• Go to the "Test Tools" tab.

• Click on the Suggested Tools (again from above) and click "Save"

• Now you're sandbox application and version are ready for testing.  Click the "Test Now" button to kick off the toolkit and track the progress.

• When the testing has completed, click on the "Results" button to see the issues.

Now We've Tested, Let's Play

Well done!  You've ran some testing toolkits in your sandbox account.  Now you can play with some of the vulnerability management and reporting available, and hook this testing up to a CI/CD.

Why not try some of the following:

• Review existing results

• Export reports

• View some automated charts and metrics of your testing

• Add new versions, if you wish to fork the application to fix any issues uncovered

• Invite other team members onto the platform

• Add ASVS and CVSS categories to any issues that don't have them

• Add some manually discovered issues for tracking

• Mark some issues as False Positives and re-test to validate they remain suppressed

• Add your own content into the vulnerability advisories and see that content presented when re-tested

• Hook your account up to Jira or Slack

• Run a test using the CLI client