SECOPS Framework has below functional benifits over a common bug/issue tracking system,
- Helps Security Teams to gather initial information in a systematic way.
- Allows to integrate various other security tools via REST Apis.
- Bring audit capabilities to different types of security operations.
git clone https://github.com/mohangcsm/secops.git
or download the zippip install -r requirements.txt
-
run
python run.py
to launch server -
SECOPS server can be accessed from http://server_ip or https://server_ip
$ git clone https://github.com/mohangcsm/secops.git
$ cd secops
Update the config.py file with required values as mentioned below section, then build and run docker with below commands. (change port mapping as defined in the config file)
$ docker build --rm -t secops .
$ docker run --rm -d -p 80:80 secops
- in config.py
- update values for GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, SECRET_KEY, ALLOWED_DOMAIN etc
- edit the port of the app (Default: 80)
- update the
JIRA_SETTINGS
with jira url and credentials. use jira access token instead of password - update the
JIRA_TRANSTIONS
according to 1factor workflow
- Update JIRA Project Configuration to integrate with SECOPS Framework
- Create Workflow according to the requirement. Workflows required for 1-factor approval and 2-factor approval can be found in the
WORKFLOWS
folder - Create 2 jira componants with names
Security Reviews
andSecurity Bugs
- Create Workflow according to the requirement. Workflows required for 1-factor approval and 2-factor approval can be found in the
- in config.py
- update the
PEER_REVIEW_ENABLED=True
- update the values in
PEER_REVIEW_REQUIRED_FOR
with type of reviews that you require 2nd level approval - update the
JIRA_TRANSTIONS
values according to 2factor workflow
- update the
- Generate or procure an SSL certificate and keyfile
- move the certificate and key file to SECOPS server.
- update the Domain settings in
config.py
file (HTTPS port, certificate path, key file path etc) - uncomment the
HTTPS
section inrun.py
file and make sure to comment out theHTTP
section.
-
Edit the application/static/request_options.json json to add/modify new secreview options
-
First update the
base_options
section to update the dropdown list- to add a new entry into dropdown add the respective KEY:VALUE data into JSON object
For example, to add new type of review category under Others section, use below
"Others" : { "PRD Document Review" : "prd_review", "Architecture Review" : "arch_review", "Security Bug" : "sec_bug", "Others" : "others", "new type of review" : "new_type_of_review" }
-
Now add HTML entities into
request_options
section to show the relevent form when the option is selected- label : Any label you want to show before the input element. Update this as needed
- name : This will be the parameter name with which the input will be posted to server
- innerHtml : prefill data comes here. leave empty string here if prefilling is not needed
- placeholder : placeholder to be shown for input text element
- elementType : type of html element. must be one of
input/textarea
- type : ignore if elementType is textarea. if elementType is input this must be one of
text/file/date
For example, to add a textarea under
new_type_of_review
form, add as below
"new_type_of_review" : [ { "label" : "Enter Name here", "name" : "name", "innerHtml" : "", "elementType" : "textarea" } ]
- Similarly, update the JSON file with as many HTML elements as required.
- Validate the JSON format before closing the file.
-
-
Edit the application/static/options.json json to add/modify closing options for secreviews
For example, to add new closing option Business Logic Validated to
sec_bug
options, use as below."sec_bug" : { "Fix Verified Dynamically" : "fix_verified", "Code Review Done" : "code_verified", "Business Logic Validated" : "bus_logic_valid" },
-
In this newly added KEY:VALUE pair, value such as bus_logic_valid is optional and can be anything
-
Validate the JSON format before closing the file.
-
READ FIRST : About Python 2 and 3 compatibility
Some scripts and modules versions required here are written in python 2 and not ready yet for python 3 so it is recommended to download and install both interpreters python 2 and also python 3 (for windows users don't forget to add their folder paths also in your environment variables) Then when calling python scripts in version 2 or 3 anyway (example with the package manager script PIP)
you can run default python command like :
"python -m pip install ..." or "pip install ..."
To call only python 3 scripts choose this instead :
"py -m pip install ..." or "pip3 install ..."
- Python 2.7
- Mohan Kallepalli (@mohankallepalli)
- MoEngage Security Team
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.