Integration Alertflex and OWASP projects

The article explains how integrates Alertflex with OWASP tools/projects to implement the next orchestration and continuous monitoring cybersecurity tasks:

  • monitoring security alerts from ModSecurity WAF, that uses OWASP ModSecurity Core Rule Set
  • send a notification to the user if WAF has blocked a suspicious HTTP request
  • DAST scan of web service by OWASP ZAP
  • SCA scan of Node.js application by OWASP Dependency-check
  • creating united DAST & SCA report in pdf format and sending them to the user

Pre-Conditions

- a working instance of Alertflex Cnode, see install instruction - https://alertflex.github.io/doc/pages/install_cnode.html

- account Twilio SendGrid (free feature with 100 emails/day)

- clean installed Ubuntu server 18.04

Note: Time/timezone for the Cnode and Ubuntu server should be equal and synchronized. File /etc/hosts or DNS name resolution for the servers should be set properly.

Below present a network diagram of the use case:

Install lab software on Ubuntu server:

1) Install Docker, see instruction - https://github.com/alertflex/lab-owasp-tools/blob/main/install_docker.txt

2) Install Nginx and ModSecurity WAF with OWASP ModSecurity Core Rule Set, see instruction - https://github.com/alertflex/lab-owasp-tools/blob/main/install_nginx_modsec.txt

3) Install Alertflex collector, see instruction - https://alertflex.github.io/doc/pages/install_altprobe.html

4) Configure Alertflex collector (altprobe), set the next parameters in the file /etc/altprobe/altprobe.yaml


remote_control: "true"

dependencycheck_result: "/root/reports/dependency-check-report.json"
zap_result: "/root/reports/zap-report.json"

modsec_log: "/log/var/nginx/error.log"
modsec_redis: "indef" 
modsec_conf: "/etc/nginx/modsec/"
modsec_rules: "/usr/local/owasp-modsecurity-crs-3.0.2/"
modsec_local: "indef"
								

Note: After configuring of parameters, restart the Altprobe.


altprobe-stop
altprobe-start
								

5) Install Node.js application.


# login as root
cd /opt
git clone https://github.com/4auvar/VulnNodeApp.git
								

6) Create dir for reports OWASP ZAP and Dependency-check.


mkdir /root/reports
								

7) Test of OWASP Dependency-check docker image, check that dependency-check-report.json is present and has alerts (see the result in dir /root/reports), after running the next command:


/etc/altprobe/scripts/dependency-check.sh /opt/VulnNodeApp
								

8) Test of OWASP ZAP docker image, check that zap-report.json is present and has alerts (see the result in dir /root/reports), after running the next command:


/etc/altprobe/scripts/zap.sh http://IP-address-of-ubuntu-server
								

Note: IP-address-of-ubuntu-server should be an external address, not 127.0.0.1 or localhost

9) In web-form Settings > Integrations configure the SendGrid account parameters.

10) In web-form Settings > Users > Edit configure an email address to receive notification and reports.

Create a Response profile in the Alertflex management console for user notification.

1) Test OWASP CRS v3 rules (192.168.1.51 replace by IP of ubuntu server)


curl http://192.168.1.51/?exec=/bin/bash
								

2) Check that WAF alerts in Alertflex Management Console are existing, after that select critical alert (severity 3) and click on the View button.

3) In web-form Alerts > View click on the button Response

4) In web-form Response select user for notification and set Enable response checkbox.

5) Repeat test for OWASP CRS v3 rules.


curl http://192.168.1.51/?exec=/bin/bash
								

6) You should receive a notification message at the indicated email address.

Implement an automation playbook for the scan of web service and reporting.

1) Create an automation playbook and set the Time interval parameter in minutes to periodically invoke scanners ZAP, Dependency-check, and send a report.

2) In web-form Automation > Playbook > Workflow select the playbook and create scan job ZAP.

3) Configure parameters for scan job ZAP.

4) Repeate steps 2 and 3 for scan job Dependency-check.

5) In web-form Automation > Playbook > Workflow create report job Scanners.

6) Configure parameters for report job.

7) Open web-form Automation > Playbook > Edit and set enable checkbox.

8) Wait until the time interval to trigger the playbook is completed. Then check a result of executing the playbook, you should receive via email the report, like below:

9) Additionally, all scan findings will be saved/updated in the Alertflex database:

10) In the case of new scan findings, that before are missing in the database, the Alertflex raises alerts: