{"id":17912315,"url":"https://github.com/timgrossmann/securitycat","last_synced_at":"2026-02-16T10:32:59.759Z","repository":{"id":147242644,"uuid":"232554747","full_name":"timgrossmann/SecurityCAT","owner":"timgrossmann","description":"Conent and PoC of my security testing automation thesis","archived":false,"fork":false,"pushed_at":"2020-08-05T12:32:41.000Z","size":7120,"stargazers_count":3,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"master","last_synced_at":"2025-10-05T01:56:38.336Z","etag":null,"topics":["policy","security","security-rat","security-tools","thesis"],"latest_commit_sha":null,"homepage":null,"language":"TeX","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/timgrossmann.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2020-01-08T12:07:35.000Z","updated_at":"2022-03-30T15:44:41.000Z","dependencies_parsed_at":null,"dependency_job_id":"fc5de2e1-21e7-4581-b8e8-140b623d1df8","html_url":"https://github.com/timgrossmann/SecurityCAT","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/timgrossmann/SecurityCAT","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timgrossmann%2FSecurityCAT","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timgrossmann%2FSecurityCAT/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timgrossmann%2FSecurityCAT/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timgrossmann%2FSecurityCAT/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/timgrossmann","download_url":"https://codeload.github.com/timgrossmann/SecurityCAT/tar.gz/refs/heads/master","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/timgrossmann%2FSecurityCAT/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":278399689,"owners_count":25980332,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-04T02:00:05.491Z","response_time":63,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["policy","security","security-rat","security-tools","thesis"],"created_at":"2024-10-28T19:44:29.442Z","updated_at":"2025-10-05T01:56:38.881Z","avatar_url":"https://github.com/timgrossmann.png","language":"TeX","funding_links":[],"categories":[],"sub_categories":[],"readme":"# Automated Security and Policy Testing for Cloud Applications - Thesis \u0026 SecurityCAT PoC\n\nThis thesis hold the proof of concept implementation for the SecurityCAT (Compliance Automation Tool) developed for my thesis about \"Automated Security and Policy Testing for Cloud Applications using a Requirement Automation Tool (SecurityRAT)\".\nIt also contains the testing and measuring scripts that have been used for runtime analysis. \n\nThe thesis folder leads to the full and final thesis written about this topic to finalize my \"Bachelor of Science\" degree.\n\n[Full Thesis on ResearchGate](https://www.researchgate.net/publication/343446911_Automated_Security_and_Policy_Testing_for_Cloud_Applications_using_a_Requirements_Automation_Tool)\n\n## Gateway\n\n### Prerequisities\n- Redis\n- Installed Python libraries `pip install -r requirements.txt`\n- the ```securityrat_url``` variable in ```gateway.py``` set to the URL of your actual SecurityRAT instance\n \n### How to launch\n1. Launch your Redis instance (local port 6379 is expected by default)\n1. Start Celery ```celery worker -A gateway.celery --loglevel=info```\n1. Starting gateway:  ```python3 ./gateway.py``` \n\n\n## Azure MS\n\nIn order to retrieve the policy defintion JSON from SocialCoding (BitBucket) we need to auth with Username and Password.\nThe bitbucket_req.py file loads these two values from the following environment variables.\n\nThe sequence flow of the Azure MS can be described as follows:\n![azure sequence flow chart](./thesis/thesis_tex/Azure_MS_Sequence.png)\n\n### Execution\n\n```bash\nexport SOCIALCODING_USER=*****\nexport SOCIALCODING_PW=*****\n```\n\nInformation necessary for policy evaluation\n```json\n{\n  \"azure_tenant_id\": \"Directory id of the azure AD (Properties tab)\",\n  \"azure_subscription_id\": \"Subscription id of the azure subscription\",\n  \"azure_client_id\": \"Client id of the application service principal\",\n  \"azure_client_secret\": \"Client secret of the application service principal\",\n  \"policy_json_url\": \"URL of the policy json stored in socialcoding (bitbucket)\"\n}\n```\n\n\n#### Policy Eval times taken:\n\nThe following test results have been collected on a constant state of Azure Policies. After each Evalutation, the Policy Definition and Assignment have been deleted in order to restart the test run without conflicts.\n\nLegend:\n- **Run**       - id of the run\n- **Init**      - time taken to initialize the thread and authenticate with azure\n- **Def**       - time taken to create the policy definition\n- **Assign**    - time taken to create the policy assignment\n- **Trigger**   - time taken to trigger the evaluation of assigned policy\n- **Poll**      - time taken for the evaluation (result polled every 10s)\n- **Result**    - time taken to retrieve the result from azure\n- **Total**     - summed up time taken for the full evaluation\n\n|Run|Init|Def|Assign|Trigger|Poll|Result|Total|\n|---|----|---|------|-------|----|------|-----|\n|1|1.7217|2.2734|0.4247|0.8354|495.3885|0.2503|500.8941|\n|2|1.7406|2.2096|0.4401|0.8000|497.7047|0.2558|503.1510|\n|3|1.6200|2.1100|0.4400|0.4597|432.9334|0.2495|437.8129|\n|4|1.7029|2.1439|0.4402|0.8182|744.4237|0.2742|749.8034|\n|5|1.6499|2.0804|0.4397|0.4901|557.6947|0.5737|562.9288|\n|6|1.7419|2.5185|0.4397|0.5602|558.2836|0.2810|563.8251|\n|7|1.8458|2.1392|0.4595|0.4974|557.0948|0.2902|562.3272|\n|8|1.7432|2.0071|0.4360|0.8539|620.9929|0.5996|626.6329|\n|9|1.7433|2.0500|0.4666|0.8832|742.9784|0.2385|748.3602|\n|10|1.6376|2.3524|0.5124|0.8138|731.1293|0.2974|736.7433|\n\n\u003e All values in seconds.\n\nPlotting those numbers in a bar chart gives the following, more readable chart.\n![azure ms eval times](./thesis/thesis_tex/azure_evaluation_time.png)\n\n## ZAP MS\n\n![zap ms architecture schema](./thesis/thesis_tex/ZAP_MS_flow.jpg)\n\n### Prerequisities\n- ZAP Proxy\n \n### How to launch\n1. Start ZAP Proxy\n1. Copy API key from `Preferences` -\u003e `API`\n1. Starting gateway:  `python3 ./zap_ms.py` \n\n#### ZAP Eval times taken:\n\n\n|Run|Init|D_Spider|A_Spider|A_Scan|Report|Total|\n|---|----|---|------|-------|----|------|\n|1|0.0293|10.0639|120.2846|40.2805|2.3807|173.0392|\n|2|0.0204|10.0574|120.2172|180.3221|4.0307|314.6481|\n|3|0.0144|60.1520|120.2625|861.8226|12.1002|1054.3518|\n|4|0.0220|330.7147|120.2342|5069.7035|167.5021|5688.1767|\n\n|Run|Runtime|Alerts|Low|Medium|High|\n|---|-------|------|---|------|----|\n|1|173.0392|10|5|2|0|\n|2|314.6481|13|6|3|1|\n|3|1054.3518|13|6|3|1|\n|4|5688.1767|13|6|3|1|\n\n## Response Check MS\n\nThe Response Check MS is a very minimal implementation of an abstraction checking interface that allows for requirement specific mappings from requirement definitions to actual checking implementations.\n\n![zap ms architecture schema](./thesis/thesis_tex/Response_Check_MS_flow.png)\n\nThe reponse check microservice is powered by a mapping between requirement names and methods that check the given validity of the requirement.\nExamples of such mappings are:\n```python\n__requirement_func_mapping = {\n  \"ASVS_3.0.1_10.10\": lambda headers: \n      __check_headers_contains_elem(\n        headers, \"Public-Key-Pins\"\n      ),\n  \"ASVS_3.0.1_10.11\": lambda headers: \n      __check_headers_contains_elem(\n        headers, \"Strict-Transport-Security\"\n      ),\n  \"ASVS_3.0.1_10.12\": lambda headers: \n      __check_headers_contains_elem(\n        headers, \"Strict-Transport-Security\", \"preload\"\n     ),\n}\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimgrossmann%2Fsecuritycat","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Ftimgrossmann%2Fsecuritycat","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Ftimgrossmann%2Fsecuritycat/lists"}