AWS Automated Security Helper (ASH) is a tool that can be used to identify and remediate security vulnerabilities in code, infrastructure, and IAM configurations. By integrating ASH into your build pipeline, you can automate the process of identifying and remediating security vulnerabilities. This can help you improve the security of your software and reduce the risk of security breaches.

Once you have completed this lab, you will be able to integrate ASH into your own build pipeline and improve the security of your software.

Introduction to ASH

Part 1: Install ASH

  1. Follow the instructions in the Git lab to configure Git.
  2. In a terminal, navigate to the directory where you want to save the ASH tool. Clone the ASH repository.
     git clone git@github.com:aws-samples/automated-security-helper.git
    
  3. Navigate to the ASH tool directory.
     cd automated-security-helper
    
  4. Temporarily set the ASH path in your shell environment. This will allow you to run the ASH tool without having to install it.
     export PATH=$PATH:$PWD
    

    If you want to set the ASH path permanently, you will need to add it to your shell configuration file. For example, if you are using Bash, you can add the following line to your ~/.bashrc file:

     echo "export PATH=$PATH:$PWD" >> ~/.bashrc
    
  5. Create a directory to store the ASH report.
     mkdir ash-report
     export ASH_REPORT_DIR=$PWD/ash-report
    

Part 2: Scan Code for Security Vulnerabilities

Once the ASH tool has been installed, you can use it to scan your code for security vulnerabilities.

  1. Navigate to the directory that contains the code that you want to scan.
  2. Run the ASH tool.
     ash --source-dir ./ --output-dir $ASH_REPORT_DIR
    

    The --source-dir option specifies the directory that contains the code that you want to scan.
    The --output-dir option specifies the directory where you want to save the ASH report.
    The ASH tool will scan all the files in the specified directory and its subdirectories. If you want to scan only certain files, you can use the --include option. For example, if you want to scan only the files with the .js extension, you can use the following command:

     ash --source-dir ./ --output-dir $ASH_REPORT_DIR --include *.js
    
  3. Once the ASH tool has finished scanning your code, you can review the ASH report to identify any security vulnerabilities. Review the ASH report to identify any security vulnerabilities in your code.
     cat $ASH_REPORT_DIR/ash-report.txt
    

    The ASH report will contain a list of all the security vulnerabilities that were found in your code.

    The following code sample shows an example of an ASH report:

    Severity Vulnerability Location
    High Cross-site scripting (XSS) index.html:10

    This example shows that an XSS vulnerability was found in the index.html file at line 10.

    It is important to note that ASH is a static analysis tool. This means that it can only find security vulnerabilities that are present in your code. ASH cannot detect security vulnerabilities that are caused by runtime errors or other factors.

Static Code Analysis with ASH

In this lab, you will learn how to:

  • Provision a CI pipeline leveraging AWS CodePipeline, AWS CodeCommit, and AWS CodeBuild
  • Push a vulnerable Java application
  • Integrate ASH in the pipeline
  • Review results
  • Fix the application

Part 1: Create a Repository

  1. In a browser, navigate to the AWS CodeCommit console.
  2. Choose Create repository.
  3. Enter a name and description for your repository.
  4. Choose Create to create the repository.
  5. Open the AWS CodePipeline console.
  6. Choose Create pipeline.
  7. Enter a name for your pipeline.
  8. Choose Next.
  9. In the Source section, choose AWS CodeCommit.
  10. In the AWS CodeCommit section, select the repository that you created in step 4.
  11. In the Branch name section, enter master.
  12. In the Change detection options section, select Amazon CloudWatch Events (recommended).
  13. In the AWS CodePipeline section, select Next.
  14. In the Build section, choose AWS CodeBuild.
  15. In the AWS CodeBuild section, select Create a new build project.
  16. In the Build project name section, enter a name for your build project (e.g. ASH-TestBuildProject).
  17. In the Environment section, select Managed image.
  18. In the Operating system section, select Ubuntu.
  19. In the Runtime(s) section, select Standard.
  20. In the Image section, select aws/codebuild/standard:5.0.
  21. In the Image version section, select Always use the latest image for this runtime version.
  22. In the Environment variables section, choose Add environment variable.
  23. In the Name section, enter AWS_DEFAULT_REGION.
  24. In the Value section, enter the AWS Region that you are using for this lab (e.g. us-east-1).
  25. In the Environment variables section, choose Add environment variable.
  26. In the Name section, enter AWS_ACCOUNT_ID.
  27. In the Value section, enter your AWS account ID.
  28. In the Service role section, select Create a service role in your account.
  29. In the Service role name section, enter a name for your service role (e.g. ASH-TestServiceRole).
  30. In the Additional configuration section, select Create build project.

Part 2: Configure the AWS CodeBuild Project

  1. Navigate to the AWS CodeBuild console.
  2. Select the build project that you created in step 15.
  3. Select Edit.
  4. Under Buildspec, select Use a buildspec file.
  5. In the Buildspec name section, enter buildspec.yml.
    version: 0.2
    
    phases:
    build:
    commands:
    - mvn clean package
    - ash --source-dir . --output-dir ./ash-report
    
    artifacts:
    - ash-report/
    

    This buildspec.yml file will install the ASH tool on the AWS CodeBuild project and run it on the source code. The ASH report will be saved in the ash-report/ directory.

  6. Select Save build project changes.
  7. Select Close.
  8. Select AWS CodePipeline.
  9. Select Edit.
  10. In the Build section, select AWS CodeBuild.
  11. In the AWS CodeBuild section, select the build project that you created in step 15.

Part 3: Configure the Deployment Stage

  1. In the Deploy section, select AWS CodeDeploy.
  2. In the AWS CodeDeploy section, select Create a new deployment group.
  3. In the Deployment group name section, enter a name for your deployment group (e.g. ASH-TestDeploymentGroup).
  4. In the Deployment type section, select In-place deployment.
  5. Configure the deployment to run on commit.
  6. In the Review section, select Create pipeline.
ASH deployment

Part 4: Push the Code to the Repository

  1. Navigate to the AWS CodeCommit console.
  2. Select the repository that you created in step 4.
  3. Choose Branches.
  4. Choose Create branch.
  5. Add a vulnerability to the code. To add a vulnerability to your code, you can add a malicious script to your code. For example, the following code is a simple cross-site scripting (XSS) vulnerability:
    <script>alert('This is a malicious script!')</script>
    

    This is just a simple example of a Javascript vulnerability. There are many other types of vulnerabilities that ASH can detect in your code.

  6. Push the vulnerable code to the AWS CodeCommit repository.

    To push the vulnerable code to your AWS CodeCommit repository, you can use the AWS CodeCommit CLI or the AWS CodeCommit console.

  7. Choose Commit.
  8. Choose Commit directly from the console.
  9. In the File field, enter the name of the file that contains the vulnerable code.
  10. In the Commit message field, enter a commit message.
  11. Choose Commit.
  12. Choose Push. Once you have pushed the vulnerable code to your AWS CodeCommit repository, the AWS CodePipeline pipeline that you created in step 5 will automatically start running.

    The ASH tool will scan your code for security vulnerabilities and generate a report in the ASHReport artifact.

Part 5: Reviewing Vulnerability Report

  1. Check the status of the AWS CodePipeline pipeline by opening the AWS CodePipeline console and selecting your pipeline.
  2. Once the pipeline has completed, you can review the ASH report to identify any security vulnerabilities in your code. The ASH report will contain a list of all the security vulnerabilities that were found in your code. It will be saved in the ASHReport artifact.

    To review the ASH report, you can use a text editor or a web browser.

  3. Review the ASH report to identify any security vulnerabilities in your code.

    The following code sample shows an example of an ASH report:

    Severity Vulnerability Location
    High Cross-site scripting (XSS) index.html:10

    This example shows that an XSS vulnerability was found in the index.html file at line 10.

    It is important to note that the ASH report is just a starting point. You should also review your code manually for security vulnerabilities.

Part 6: Fixing Vulnerabilities

If you find any security vulnerabilities in your code, you should fix them and push the fixed code to your AWS CodeCommit repository. The AWS CodePipeline pipeline will automatically start running again and the ASH report will be updated.

The specific steps to fix the security vulnerabilities in your code will vary depending on the types of vulnerabilities that were found. However, some general steps include:

  • Removing any malicious code from your code.
  • Sanitizing user input.
  • Encoding user output.
  • Using secure coding practices.
  1. To fix the XSS vulnerability from step 50, you can use the escape() function to encode the special characters in the string.
    <script>alert(escape('This is a malicious script!'))</script>
    

    Encoding the special characters in the string will prevent the XSS vulnerability from being exploited.

  2. Push the fixed code to your AWS CodeCommit repository.
  3. Wait for the AWS CodePipeline pipeline to complete.
  4. Once the AWS CodePipeline pipeline has completed, review the ASH report to verify that the security vulnerabilities have been fixed and that there are no new security vulnerabilities in your code.
    Severity Vulnerability Location
         

    This example shows that the XSS vulnerability was fixed and no longer exists in the code.

More Info