CI CD - pilkch/library GitHub Wiki
DNS Server and Router Config
- Store DNS entries as code (Git commit + push)
- Apply DNS updates automatically from git (Git clone + SSH/scp)
- Apply router configuration in GUI
- Backup router configuration as code (SSH/scp + Git commit + push)
Maintain a Device Inventory
- Physical workstations, servers, routers, network devices
- Virtual machines, containers
- Source of truth inventory (Ansible or Netbox)
- Scan environment (nmap, Nessus or similar)
- MAC address, IP, hostname, ports open
Continuous Integration
- Build
- Run unit tests including adding regression tests when issues are found
- Run unit tests with Address Sanitizer and Thread Sanitizer etc.
- Lint (C++, bash, docker files, ansible)
- Static Analysis
- Fuzzing
- Secret scanning (Passwords, API keys, private keys)
- Vulnerability Assessment (Check package dependencies for vulnerabilities for that version)
- Package including signatures
- Store artifacts (Nexus, Apache, RPM/DEB package manager, ftp, git lfs, Docker, etc.)
Continuous Deployment
- Deploy (Ansible, SSH, etc.)
- Application/Server Health Checks (ping, do requests, check status pages, check logging)
- Basic configuration testing (nmap, check SSL allowed ciphers, and certificates, security headers, cookie settings)
- Basic vulnerability Scanning (metasploit, Nessus)
- Push Traffic/Run Process and Check Outcome
- Push corrupt/malicious traffic, fuzz test across network
- Push high volumes of traffic to saturate the network connection
- Test session cookie stealing doesn't work (The user should not be able to take a cookie from one IP and use it on another IP to steal the session, check that a log is generated)
- Spam actions to test rate limiting (Logins, adding/updating/deleting records, check that logs are generated to warn about this behaviour, then rate limiting occurs, then temporary bans, then permanent bans occur)
- Pen test
Tools
https://owasp.org/www-community/Free_for_Open_Source_Application_Security_Tools