### Docker Installation - As Is Source: https://github.com/mohangcsm/secops/blob/master/README.md Steps to build and run a SECOPS Docker container for immediate use. ```bash $ docker build --rm -t secops . $ docker run --rm -d -p 80:80 -p 443:443 secops ``` -------------------------------- ### SECOPS Installation Source: https://github.com/mohangcsm/secops/blob/master/README.md Instructions for installing the SECOPS framework, including cloning the repository and installing dependencies. ```bash git clone https://github.com/mohangcsm/secops.git pip install -r requirements.txt ``` -------------------------------- ### Configuration - HTTPS Support Source: https://github.com/mohangcsm/secops/blob/master/README.md Steps to configure SECOPS for HTTPS support, including SSL certificate setup and `run.py` modifications. ```python # Generate or procure an SSL certificate and keyfile # move the certificate and key file to SECOPS server. # update the Domain settings in config.py file (HTTPS port, certificate path, key file path etc) # uncomment the HTTPS section in run.py file and make sure to comment out the HTTP section. ``` -------------------------------- ### Docker Installation - Continuous Development Source: https://github.com/mohangcsm/secops/blob/master/README.md Steps to build and run a SECOPS Docker container for continuous development, including building temporary and final images. ```bash $ git clone https://github.com/mohangcsm/secops.git $ cd secops $ docker build -f Dockerfile --rm -t secops1 . $ docker build -f Dockerfile2 --rm -t secops . $ docker run --rm -v $(pwd):/app -d -p 80:80 -p 443:443 secops ``` -------------------------------- ### Python 2 and 3 Compatibility Troubleshooting Source: https://github.com/mohangcsm/secops/blob/master/README.md This section provides guidance on managing Python 2 and Python 3 environments, particularly when dealing with project dependencies. It explains how to differentiate commands for installing packages using either Python version. ```bash # To call default python scripts (likely Python 2 if both are installed) python -m pip install ... # or pip install ... # To call only Python 3 scripts py -m pip install ... # or pip3 install ... ``` -------------------------------- ### Add New Closing Option for Security Reviews Source: https://github.com/mohangcsm/secops/blob/master/README.md This snippet shows how to add a new closing option for security reviews by editing the `application/static/options.json` file. It provides an example of adding 'Business Logic Validated' to the `sec_bug` options. ```json { "sec_bug" : { "Fix Verified Dynamically" : "fix_verified", "Code Review Done" : "code_verified", "Business Logic Validated" : "bus_logic_valid" } } ``` -------------------------------- ### Add New Security Request Type Source: https://github.com/mohangcsm/secops/blob/master/README.md This snippet demonstrates how to add a new security request type by updating the `application/static/request_options.json` file. It includes examples for modifying the `base_options` dropdown and defining HTML form elements for the new request type. ```json { "Others" : { "PRD Document Review" : "prd_review", "Architecture Review" : "arch_review", "Security Bug" : "sec_bug", "Others" : "others", "new type of review" : "new_type_of_review" } } ``` ```json { "new_type_of_review" : [ { "label" : "Enter Name here", "name" : "name", "innerHtml" : "", "elementType" : "textarea" } ] } ``` -------------------------------- ### Running SECOPS Source: https://github.com/mohangcsm/secops/blob/master/README.md How to run the SECOPS server and access it via a web browser. ```bash python run.py # Server can be accessed from http://server_ip or https://server_ip ``` -------------------------------- ### Configuration - Basic Settings Source: https://github.com/mohangcsm/secops/blob/master/README.md Essential configuration parameters to update in `config.py` before running SECOPS, including authentication and Jira settings. ```python # Update values for GOOGLE_CLIENT_ID, GOOGLE_CLIENT_SECRET, SECRET_KEY, ALLOWED_DOMAIN etc # edit the port of the app (Default: 80) # update the JIRA_SETTINGS with jira url and credentials. use jira access token instead of password # update the JIRA_TRANSTIONS according to 1factor workflow # update external page links settings as required. # create a default user (appsec) in JIRA or update DEFAULT_USER in config with any one of the jira user ``` -------------------------------- ### Configuration - Peer Review Source: https://github.com/mohangcsm/secops/blob/master/README.md Configuration steps to enable and customize the peer review and approval process in SECOPS. ```python # update the PEER_REVIEW_ENABLED=True # update the values in PEER_REVIEW_REQUIRED_FOR with type of reviews that you require 2nd level approval # update the JIRA_TRANSTIONS values according to 2factor workflow ``` -------------------------------- ### HTML and Jinja Structure Source: https://github.com/mohangcsm/secops/blob/master/application/templates/search_tickets.html Basic HTML structure including Jinja includes and extends for navigation and footer. Also includes CSS classes for styling. ```html {% include "nav.html" %} {% extends "footer.html" %} ``` -------------------------------- ### Bootstrap Popover Initialization Source: https://github.com/mohangcsm/secops/blob/master/application/templates/new_secreview.html Initializes Bootstrap popovers for all elements with the 'data-toggle="popover"' attribute. This enhances user experience by providing contextual information on hover or click. ```javascript $(function (){ $("[data-toggle='popover']").popover(); }); ``` -------------------------------- ### Navigation and Security Links Source: https://github.com/mohangcsm/secops/blob/master/application/templates/nav.html This snippet displays the main navigation structure of the SecOps project. It includes links to the home page, new security reviews, a library inventory, Confluence links for security assurance and knowledge base, and various security policies such as Infosec, Awareness, and VRM. It also conditionally displays links for closing tickets and user authentication (login/logout) based on session variables. ```html SecOps Navigation ``` -------------------------------- ### Navigation Inclusion Source: https://github.com/mohangcsm/secops/blob/master/application/templates/login.html Includes a navigation bar from a separate HTML file, promoting code reusability and consistent UI design. ```html {% include "nav.html" %} ``` -------------------------------- ### JavaScript Popover Initialization Source: https://github.com/mohangcsm/secops/blob/master/application/templates/search_tickets.html Initializes Bootstrap popovers for elements with the 'data-toggle="popover"' attribute using jQuery. This enhances user experience by providing contextual information on hover or click. ```javascript $(function (){ $("[data-toggle='popover']").popover(); }); ``` -------------------------------- ### HTML Structure and Jinja Templating Source: https://github.com/mohangcsm/secops/blob/master/application/templates/close_tickets.html This snippet showcases the basic HTML structure of the SECOPS project, including Jinja templating for dynamic content rendering, conditional logic, and inclusion of navigation elements. It handles messages, user greetings, and displays security review and bug counts. ```html {% include "nav.html" %} body { /*background: url("back1.jpg") no-repeat center center fixed; */ background-size: cover; } .hidden { display: none; } .shown { display: block; } {% if message %} × {{ message | safe }} {% endif %} ### Welcome {{session.email}} {% if secreview_string != "" %} #### Open Security Reviews : {{ secreview_count }} {{secreview_string|safe}} {% endif %} {% if secbugs_string != "" %} #### Open Security Bugs : {{ secbugs_count }} {{secbugs_string|safe}} {% endif %} issue_status = ""; issue_key = ""; back Ticket No # Title # summary Status # Due Since # Test Cases Covered Select Approver # var REVIEW_APPROVERS = {{REVIEW_APPROVERS|safe}}; var input_select = document.getElementById('REVIEW_APPROVERS'); $.each(REVIEW_APPROVERS, function(key,value){ if(value != "{{session.email}}") { var op = document.createElement("option"); op.value = value; op.text = value; input_select.appendChild(op); } }); #### Any Additional Comments? (Mandatory for Reject) ##### Followup Issue × Ticket No # Title # summary Status # Requesting For # Due Since # Assignee # Followup Comment: Close {% extends "footer.html" %} ``` -------------------------------- ### Project Dependencies Source: https://github.com/mohangcsm/secops/blob/master/requirements.txt This section lists the Python packages and their versions used in the project. These dependencies cover various functionalities including web framework, API clients, security libraries, and utility tools. ```python certifi==2020.6.20 cffi==1.14.0 chardet==3.0.4 click==7.1.2 cryptography==3.0 defusedxml==0.6.0 enum34==1.1.10 Flask==1.1.2 Flask-OAuth==0.12 gevent==20.6.2 greenlet==0.4.16 httplib2==0.18.1 idna==2.10 ipaddress==1.0.23 itsdangerous==1.1.0 Jinja2==2.11.2 jira==2.0.0 MarkupSafe==1.1.1 oauth2==1.9.0.post1 oauthlib==3.1.0 pbr==5.4.5 pycparser==2.20 PyJWT==1.7.1 requests==2.24.0 requests-oauthlib==1.3.0 requests-toolbelt==0.9.1 six==1.15.0 urllib3==1.25.9 Werkzeug==0.16.1 zope.event==4.4 zope.interface==5.1.0 ``` -------------------------------- ### HTML Structure and Jinja Templating Source: https://github.com/mohangcsm/secops/blob/master/application/templates/index.html This HTML snippet includes Jinja2 templating for dynamic content rendering. It sets up navigation, displays messages, and provides options for selecting different security dashboards. It also includes basic CSS for styling elements like loaders and modals. ```html {% include "nav.html" %} {% if message %} × {{ message | safe }} {% endif %} Security Metrics Dashboard Choose a dashboard: Select Dashboard {% if session.appsec_user %} All Issues By Severity {% endif %} Jiras in 2 Weeks Open Tickets in 2 Weeks {% if session.access_token %} My Metrics {% endif %} ... ... Close Loading ... body { /*background: url("back1.jpg") no-repeat center center fixed;*/ background-size: cover; } .loader { position: absolute; top: 50%; left: 50%; margin: -50px 0px 0px -50px; } .box { height: 10vw; width: 10vw; } .modal-header, h4, .close { background-color: #182530; color:white !important; text-align: center; font-size: 30px; } .modal-content{ background-color: #e6e6e6; } .modal-footer { background-color: #182530; } .center { align-self: center; text-align: center; } .border { border: solid 0px black; } .pad { padding: 1vw; } .pad-top { padding-top: 2.5vw; } .pad-bottom { padding-bottom: 2.5vw; } .dashboard { margin-top: 1.5vw; } .x400x { height: 400px; } #message { margin-top: 30px; } .issues_body { vertical-align: middle; text-align: left; overflow-y: scroll; max-height: 500px; min-height: 250px; } .state { color: #55AA00; } body { background-color: white; } {% extends "footer.html" %} ``` -------------------------------- ### JavaScript for Interactive Features Source: https://github.com/mohangcsm/secops/blob/master/application/templates/close_tickets.html This JavaScript code handles several interactive features within the SECOPS application. It includes initializing tooltips, managing dynamic content display, populating dropdowns based on user roles, and implementing a 'follow-up' mechanism for issues with asynchronous data handling. ```javascript $('.icon_info').tooltip(); function check_status(){ var ticket_status = $('#ticket_status').val(); var not_allowed = ["Backlog","To Do", "ToStart", "Open"]; if(not_allowed.includes(ticket_status)) alert("Issue is not in In-Progress state; Only Reject action is allowed."); return !not_allowed.includes(ticket_status); } var peer_review_enabled = {{peer_review_enabled|safe}}; PEER_REVIEW_REQUIRED_FOR = []; if(peer_review_enabled) PEER_REVIEW_REQUIRED_FOR = {{PEER_REVIEW_REQUIRED_FOR|safe}}; window.follow_message = ""; window.ticket_id = ""; console.log('text'); window.assignee = "{{config.DEFAULT_USER|e}}"; function followup(key, status, summary, requestingfor, due_days, follow_class,assigned){ if(assigned == "None") assigned = window.assignee; else window.assignee = assigned; document.getElementById('follow_key').innerHTML = key; document.getElementById('follow_summary').innerHTML = summary; document.getElementById('follow_status').innerHTML = status; document.getElementById('follow_requestingfor').innerHTML = requestingfor; document.getElementById('follow_due_days').innerHTML = due_days+" days"; $('#follow_due_days').addClass('label-'+follow_class); document.getElementById('follow_assignee').value = assigned; window.ticket_id = key; window.follow_message = "Hey, \n\nThis issue is pending from "+due_days+" days. Request you to provide an update as soon as possible.\n\n"; console.log(window.follow_message); $('#follow_comment').html(window.follow_message); } function doFollowup(){ const form = document.getElementById('followup_form'); var form_data = new FormData(form); form_data.append('ticket_id',window.ticket_id); form_data.append('comment',$('#follow_comment').val()); form_data.append('assigned',$('#follow_assignee').val()); window.assignee = "{{config.DEFAULT_USER|e}}"; fetch(form.action, { method: form.method, body: form_data, }).then(response => { return response.json(); }).then(data => { alert(data.message); $('#form_close').click(); }).catch(err => { console.log(err); console.log("Error Occured while fething api : "+form.action); }); } ``` -------------------------------- ### SECOPS Framework Benefits Source: https://github.com/mohangcsm/secops/blob/master/application/templates/login.html Outlines the functional benefits of the SECOPS Framework compared to a common bug/issue tracking system, highlighting its advantages for security teams. ```markdown - Helps Security Teams to gather initial information in a systematic way. - Allows to integrate various other security tools via REST Apis. - Bring audit capabilities to different types of security operations. ``` -------------------------------- ### Footer Inclusion Source: https://github.com/mohangcsm/secops/blob/master/application/templates/login.html Includes a footer from a separate HTML file, ensuring a consistent footer across different pages. ```html {% extends "footer.html" %} ``` -------------------------------- ### Login Link Source: https://github.com/mohangcsm/secops/blob/master/application/templates/login.html Provides a direct link to the login page, often used for user authentication. ```html Login Here ``` -------------------------------- ### CSS Styling for UI Elements Source: https://github.com/mohangcsm/secops/blob/master/application/templates/inventory.html CSS rules for styling various UI components, including a background image, loader, modal dialogs, padding, and specific element dimensions. These styles enhance the user interface and experience. ```css body { /*background: url("back1.jpg") no-repeat center center fixed; */ background-size: cover; } .loader { position: absolute; top: 50%; left: 50%; margin: -50px 0px 0px -50px; } .box { height: 10vw; width: 10vw; } .modal-header, h4, .close { background-color: #182530; color:white !important; text-align: center; font-size: 30px; } .modal-content{ background-color: #e6e6e6; } .modal-footer { background-color: #182530; } .center { align-self: center; text-align: center; } .border { border: solid 0px black; } .pad { padding: 1vw; } .pad-top { padding-top: 2.5vw; } .pad-bottom { padding-bottom: 2.5vw; } .dashboard { margin-top: 1.5vw; } .x400x { height: 400px; } #message { margin-top: 30px; } .issues_body { vertical-align: middle; text-align: left; overflow-y: scroll; max-height: 500px; min-height: 250px; } .state { color: #55AA00; } body { background-color: white; } ``` -------------------------------- ### CSS Styling for SECOPS UI Source: https://github.com/mohangcsm/secops/blob/master/application/templates/close_tickets.html This snippet defines various CSS classes used within the SECOPS project for styling elements. It includes classes for general layout, text colors, and interactive element states, contributing to the user interface's visual presentation. ```css body { /*background: url("back1.jpg") no-repeat center center fixed; */ background-size: cover; } .hidden { display: none; } .shown { display: block; } $('.icon_info').tooltip(); .container { width: 100%; } .red { color: red; } .blue { color: blue;} .green { color: green; } .orange { color: orange; } ``` -------------------------------- ### Dynamic Dropdown Generation Source: https://github.com/mohangcsm/secops/blob/master/application/templates/new_secreview.html Generates an HTML dropdown menu dynamically based on a JavaScript object. It iterates through nested options to create a structured selection list, intended for user input forms. ```javascript var base_options = request_options_all['base_options']; msg = '