Home
Contribute Contact Us Browse all meetings
Home Contribute Contact Us Browse all meetings
GitLab / Secure Stage / 11 Mar 2020
GitLab / Secure Stage / 11 Mar 2020
Previous Meeting Next Meeting
Add meeting Rate page Subscribe
youtube image
From YouTube: A demo of running DAST in air-gapped environment

Description

This demo walks through how to configure DAST to run in an airgapped, or offline networked environment. For more information read
https://docs.gitlab.com/ee/user/application_security/dast/#running-dast-in-an-offline-air-gapped-installation

A

Hi, my name is Seth Berger I'm, an engineering manager here at get lab on the dash team. We're gonna do a quick demo of getting gas to work in offline mode, so I'm going to go ahead and share my screen.

A

Okay, so in order to get to work in offline mode, you need to do two steps. The first is gonna be to download the image onto your local network and then the second is you're going to need to update your CI template to do two things. One reference, your local image and then second, to reflect the the new settings that you're in need in based on the local image.

A

You can read about how to do this in our documentation, so this is the application security dashed documentation and we have a section here called running gas and offline air gap mode. In order to get the docker image to your local network, your exact steps might vary depending on how your offline or air-gap network is set up, but generally what you can do is you can do doctor pull from this particular location. You can use version 1 or, if you wanted to, you, could use the latest either.

A

One you're gonna want to do the darker pull you'll tag that docker image with the location of your new repository here and then you'll. Do a docker push to push up that dashed image to your local repository once it's there. If you want you can you know, use a curl request just to take a look at the catalog, so we'll do that here.

A

So curl that you can see that I've got two repositories or two images up here. One is tasks and one is webgoat. If you want to dig a little bit more into what I have on you can take a look here and you'll see that there's the ghast image with the tagged one so I know both those images are there. The next step is to go ahead and set up my get lab, yellow file. So let me show you how I've done that.

A

So I've created two branches here: I've created an online scam offline scan just so we can take a look at the difference. So if we look at the online scan, we just have an include with the template. This is how you would set this up whether you were using just a plain old network-connected scan. We set up our variables, which is our website.

A

Another environment variable do a full full scan and then, in this case, I'm just using a service which is webgoat, I said it as an alias and that's what allows me to scan this website. But, as you can see, these are referring right here. In particular, this is referring to a docker image that is on the internet.

A

I'll go to my offline scan here and we'll take a look at how that's changed so again. We've got the exact same include as previous we're gonna scan the website. This is a local website, as you can see, web server, but where that's coming from is gonna, be a local docker, repository or doctor registry, and then the next thing that we did- and this is what's key- is you're. Gonna have to override two values or two parameters within one is going to be the image and one: that's gonna be the script.

A

So the image is just going to be the location of your neugast file and then the script is essentially the same as in this template, except we're going to add this part to it. So, let's take a look at this side-by-side. You can see here we're just doing an export of the website, then analyze t and the website and then auto updates. So if we look at the original, it looks almost identical. We've got the export.

A

The website analyzed t website, but on the offline version, we're saying don't add any updates and run in silent mode and silent mode in this case tells the underlying engine, which is our exact engine, to not try to make any network connections. So that's our offline scan and then this is our online scam now prior to recording, this I actually ran this job and I'll show you the results. So here we've got an online scam and I ran the online scan with connection to the internet. So we'll take a look at the results here.

A

If we scroll all the way up, you can see it got the registry from gitlab, both the and for webgoat I, was unable to disconnect and make sure that I was offline, and you can see that's where my job failed. If we take a look at the result there you can see when it went to get registry that get lab and then, when it went to for the gas and webgoat it failed on both those and the job failed.

A

Coming back, however, we have two jobs that we ran for offline scan, we'll run this, and this had access to the Internet, and so it was able to get this. Although it didn't need access to the Internet, it was able to get that when it had access and then when I shut off internet access, you can see it continued to pass so again, because the location is a local network drive, it didn't need access to the Internet.

A

So, in order to set this up again, pretty straightforward, just download, download the desk image to your local machine and then update your gamma file as per the documentation, which is right here and everything should be all set to go. Thanks.