Skip to content

Latest commit

 

History

History
executable file
·
129 lines (104 loc) · 6.93 KB

readme.md

File metadata and controls

executable file
·
129 lines (104 loc) · 6.93 KB

https://img.shields.io/badge/-changelog-blue.svg https://img.shields.io/badge/-changelog-blue.svg Quality Gate Status Security Rating

Mixeway Backend

About Mixeway:

Mixeway is an OpenSource software that is meant to simplify the process of security assurance of projects which are implemented using CICD procedures. Mixawey is not another vulnerability scanning software - it is security orchestration tool.

With number of plugins for Vulnerability Scanners :

With all this available, Mixeway provides functionalities to:

  • Automatic service discovery (IaaS Plugin for assets and network scans for services)
  • Automatic Vulnerability Scan Configuration (Based on most recent configuration) - hands-free!
  • Automatic and on-demand Vulnerability scan execution (based on policy and executed via a REST API call)
  • One Vulnerability Database for all type of sources - SAST, DAST, OpenSource and Infrastructure vulnerabilities in one place
  • Customizable Security Quality Gateway - a reliable piece of information for CICD to decide if a job should pass or not.
  • REST API enables integration with already used Vulnerability Management systems used within the organization.

Elements of a system:

Mixeway Backend Description:

Mixeway Backend is a spring boot application that serves REST API both for UserInterface and independent tools for scan creation and runs. Backend application also contains vulnerability scanner plugins definitions. Each plugin contains at least 3 operations: configure scan, run scan and load vulnerabilities. This allows mixeway to be completely in charge of the scanning process which allows it to completely automize the vulnerability assessment process.

With Hashicorp Vault integration passwords for each security scanner (which is the most sensitive component) is properly secured.

High level informations can be found here

More detailed and technical docs are here

Hashicorp Vault integration:

Mixeway has to be able to reuse given passwords and api keys in order to use them with Vulnerability Scanning interactions.

Vault integration is optional but it is strongly recommended to be included - otherwise password for vulnerability scanners will be stored in plaintext.

Mixeway User Interface Tech stack:

Requirements:
  • Running and working DB
  • JAVA 1.8
  • SSL Certificates
Good to have:
  • Hashicorp Vault up and running
Running in development mode:
  1. Make sure DB is up and running (You can use guide how to use postgres docker here https://hub.docker.com/_/postgres)
  2. Optionally make sure Vault is up and running (You can use guide how to use Vault docker here https://hub.docker.com/_/vault)
  3. Generate certificates and convert them to PKCS12 (yes certificates are required even in dev)
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12

CACERTS file is also needed, make sure You have known the location of it. It can be found using tips here

Finnaly run

java -jar --server.ssl.trust-store=/etc/pki/cacerts \
          --server.ssl.trust-store-password=changeit \
          --server.ssl.key-store=/etc/pki/localhost.p12 \
          --server.ssl.key-store-password=changeit \
          --server.ssl.keyAlias=localhost \
          --spring.profiles.active=dev \
          --spring.datasource.url=jdbc:postgresql://127.0.0.1:5432/mixer \
          --spring.datasource.username=mixewayuser \
          --spring.datasource.password=mixewaypassword \
          --spring.cloud.vault.token=ffffffff-ffff-ffff-ffff-ffffffffffff \
          --spring.cloud.vault.scheme=http \
          --spring.cloud.vault.port=8200 \
          --spring.cloud.vault.host=MixerVault

REST API will be exposed on port :8443

Auth methods

Mixeway supports multiple authentication methods:

  • GitHub OAuth
  • Facebook OAuth
  • Keycloak OAuth
  • x509 Smart Cards

GitHub OAuth

In order to enable GitHub OAuth make sure to properly register mixeway application at GitHub and then set variable:

  • GITHUB_APP_ID
  • GITHUB_SECRET

Facebook SSO

In order to enable Facebook OAuth make sure to properly register mixeway application at Facebook and then set variable:

  • FACEBOOK_APP_ID
  • FACEBOOK_SECRET

Keycloak SSO

In order to enable Facebook OAuth make sure to properly register mixeway application at Facebook and then set variable:

  • KEYCLOAK_REALM
  • KEYCLOAK_URL (ending with /auth)
  • KEYCLOAK_CLIENT_ID
  • KEYCLOAK_SECRETxq
  • KEYCLOAK_AUTH_ROLE