There are many people who want to check out how the Uleska Platform can automate their security tools and manage their vulnerabilities, without hooking it up (at first) to their company code repos and projects. That's absolutely fine, and here we can suggest some good ways to try Uleska out for yourself.
Creating a sandbox account is exactly the same as creating a normal account with Uleska. You can setup an account using your SSO account on GitHub, GitLab, BitBucket (Atlassian) or Google, or you can click on the 'Create an Account' link to use your e-mail address to sign up.
Go to https://cloud.uleska.com/ to create an account.
If you create a new account with your existing Github account Uleska will ask you if you want to add in existing repos - you can skip this if you wish and use the open source repos we suggest later.
You will then be presented with a 'Welcome to Uleska' screen where you'll be asked to set up the name of your Company. Enter any name you'll recognize here.
Let's do some testing. Depending on the type of testing you want to try out, there's three main ways to test with a sandbox:
There are a lot of deliberately vulnerable source code repos out that that are open source and free for anyone to try out. Here we list a few repos that are good to try out, and suggested testing tools to use:
There are not as many deliberately vulnerable dynamic projects out there (someone has to run them) but the Google Firing Range is very popular, and OWASP ZAP is a free dynamic testing tool you can setup for your sandbox:
Fortunately (or very unfortunately) there are plenty of open source container images out there that are vulnerable. There are some projects that are deliberately vulnerable for you to try out. See our steps to add container images and suggested testing tools to use:
Well done! You've ran some testing toolkits in your sandbox account. Now you can play with some of the vulnerability management and reporting available, and hook this testing up to a CI/CD.
Why not try some of the following:
Add new versions, if you wish to fork the application to fix any issues uncovered
Invite other team members onto the platform
Add ASVS and CVSS categories to any issues that don't have them
Mark some issues as False Positives and re-test to validate they remain suppressed
Add your own content into the vulnerability advisories and see that content presented when re-tested