Ruggedy Limited is a New Zealand-based company founded by Francois Marais and Gareth Lawson. Our passion can be summed up as "automation through technology that helps people in their day-to-day jobs and lives". Francois is an Information Security specialist and Gareth is a Software Developer. Each have more than 15 years of experience in their areas of expertise and have embarked on a journey to see how they can bring these two specialities together to create a "security as code" solution. You can read more on our website: www.ruggedy.io.
Ruggedy VMA (Vulnerability Management App) is an open source web application built by Ruggedy Limited in PHP, using the Laravel framework as a foundation.
It is built to assist pen testers, information security consultants, CISOs (Chief Information Security Officers), and anyone who is using tools like Burp, Nessus and Nexpose, to do network and server security testing.
In the simplest terms, the application does the following:
- Consumes XML scan output files generated by Burp, Nessus or Nexpose security scanners.
- Provides an approachable, consistent user interface (UI) for analysing the data found in these files.
- Allows you to add your own manual findings of vulnerabilities using the Ruggedy App, named after the company that built this software.
- Allows you to group Vulnerabilities into "Folders".
- Enables collaboration through "comments" on vulnerability records.
- Makes it easy to send vulnerability information directly into Jira as a "Bug" issue.
This application has a few system requirements. All of these requirements are satisfied by the Laravel Homestead virtual machine, so it's highly recommended that you use Homestead if you are installing the application on your own machine.
However, if you are not using Homestead, you will need to make sure your server meets the following requirements:
- PHP >= 7
- OpenSSL PHP Extension
- PDO PHP Extension
- Mbstring PHP Extension
- Tokenizer PHP Extension
- XML PHP Extension
- A web server installed, e.g. Apache, Nginx etc.
- A running MySQL server with an empty database to use when installing the application
- Composer must be installed
- Bower must be installed
- NodeJS and NPM must be installed
- Git must be installed
For more information on how to setup and configure your web server environment you can read the Laravel documentation.
We have added the ability to run the entire application in Docker. All that is required to be able to setup and run the app in Docker is:
- A Linux compatible system or Mac OS X not more than a year old (Windows support coming soon)
- Docker Engine version 1.13.0+ or Docker Machine 0.9.0+ (This has not been tested using Docker Machine and may not work as expected)
- Docker Compose version 1.10.0+
The following instructions assume that you have configured your web server environment with all the above requirements, that you understand how to setup a web server to run a PHP-based web application, and that you have access to a bash (or similar) shell to run the below commands.
- Make sure your server environment meets all the requirments.
- Clone this repository with Git to a location accessible to PHP and your web server (Apache, Nginx etc.):
git clone https://github.com/Ruggedy-Limited/ruggedy-vma.git
- Make a copy of the file named .env.example to a file named just .env, e.g.
cp ./.env.example ./.env
. - It is REQUIRED that you open the .env file in an editor of your choice and configure your database connection: DB_HOST, DB_PORT, DB_DATABASE, DB_USERNAME, DB_PASSWORD.
- It is recommended that you customise the following options in the .env file: APP_ENV (local/development/production), APP_DEBUG (true/false), APP_URL (e.g. http://localhost).
- If you want the password reset functionality to send emails, configure your SMTP server in the .env file: MAIL_HOST, MAIL_PORT, MAIL_USERNAME, MAIL_PASSWORD, MAIL_ENCRYPTION, MAIL_FROM_NAME, MAIL_FROM_ADDRESS.
Now run the following commands from your shell while in the directory where the git repository was cloned:
composer install
bower install
npm install
php artisan key:generate && php artisan migrate
crontab -e
then add the following cron job to your crontab:* * * * * /path/to/php /path/to/ruggedy-vma/artisan schedule:run >> /path/to/ruggedy-vma/storage/logs/cron.log 2>&1
NOTE: In the cron entry, make sure you replace /path/to with the path relevant to your server/environment.
- Clone the git repository to a location that suits you, as long as the directory is included in Docker File Sharing:
git clone https://github.com/Ruggedy-Limited/ruggedy-vma.git
- Run the following command:
docker-files/build.sh
- The build process can take 30 - 60 minutes to complete, depending on the specs of the computer you're installing on and the speed of your internet connection.
- If there are any errors that cause the build process to bomb out completely, you can try re-running the above command.
- To stop all the containers running the app, but preserve them and their data:
docker-compose stop
- To start the containers again at a later time:
docker-compose start
- All the above commands should be run from the directory where the git repository was cloned.
- Please ensure that no native web server, MySQL server or any other process is binding to ports 80, 443 or 3306, or the Docker build will fail.
If all of the above commands succeed, then the application should be installed, working and accessible via the URL/hostname you configured on your web server (Apache/Nginx), or if there are no configured local hostnames, just http://localhost/ or http://127.0.0.1/ should work too. A default admin user is installed with the following credentials:
Username: admin@localhost
Password: password
It is highly recommended that you amend these details by logging in and making the relevant changes by clicking the "Profile" menu option on the main menu that can be accessed by clicking the hamburger menu icon at the top-left of the screen.
This still needs to be clearly defined, but the immediate plans are to make some improvements to the XML parser and to create a single command setup process in the next couple of months.
Thank you for considering contributing to Ruggedy VMA! Feel free to submit a pull request against the master branch, but if you do, all we ask is that you first check out a topic branch from master before making any commits, e.g.
git checkout master && git checkout -b my-new-topic
Alternatively you can send an email to hello@ruggedy.io if you want to discuss specific contributions.
If you discover security vulnerabilities in the application please send an email with a detailed description and proof of concept to hello@ruggedy.io.
The Ruggedy application is open-sourced software licensed under the MIT license.