Mixeway is an OpenSource software that is meant to simplify the process of security assurance of projects which are implemented using CICD procedures. Mixawey is not another vulnerability scanning software - it is security orchestration tool.
With number of plugins for Vulnerability Scanners :
With all this available, Mixeway provides functionalities to:
- Automatic service discovery (IaaS Plugin for assets and network scans for services)
- Automatic Vulnerability Scan Configuration (Based on most recent configuration) - hands-free!
- Automatic and on-demand Vulnerability scan execution (based on policy and executed via a REST API call)
- One Vulnerability Database for all type of sources - SAST, DAST, OpenSource and Infrastructure vulnerabilities in one place
- Customizable Security Quality Gateway - a reliable piece of information for CICD to decide if a job should pass or not.
- REST API enables integration with already used Vulnerability Management systems used within the organization.
Elements of a system:
- Backend - Spring Boot REST API
- Frontend - Angular 8 application
- DB - postgres database
- Vault - password store
- MixewayHub - parent project which contain docker-compose and one click instalation
Mixeway Backend is a spring boot application that serves REST API both for UserInterface and independent tools for scan creation and runs. Backend application also contains vulnerability scanner plugins definitions. Each plugin contains at least 3 operations: configure scan, run scan and load vulnerabilities. This allows mixeway to be completely in charge of the scanning process which allows it to completely automize the vulnerability assessment process.
With Hashicorp Vault integration passwords for each security scanner (which is the most sensitive component) is properly secured.
High level informations can be found here
More detailed and technical docs are here
Mixeway has to be able to reuse given passwords and api keys in order to use them with Vulnerability Scanning interactions.
Vault integration is optional but it is strongly recommended to be included - otherwise password for vulnerability scanners will be stored in plaintext.
- Running and working DB
- JAVA 1.8
- SSL Certificates
- Hashicorp Vault up and running
- Make sure DB is up and running (You can use guide how to use postgres docker here https://hub.docker.com/_/postgres)
- Optionally make sure Vault is up and running (You can use guide how to use Vault docker here https://hub.docker.com/_/vault)
- Generate certificates and convert them to PKCS12 (yes certificates are required even in dev)
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
openssl pkcs12 -inkey key.pem -in certificate.pem -export -out certificate.p12
CACERTS file is also needed, make sure You have known the location of it. It can be found using tips here
Finnaly run
java -jar --server.ssl.trust-store=/etc/pki/cacerts \
--server.ssl.trust-store-password=changeit \
--server.ssl.key-store=/etc/pki/localhost.p12 \
--server.ssl.key-store-password=changeit \
--server.ssl.keyAlias=localhost \
--spring.profiles.active=dev \
--spring.datasource.url=jdbc:postgresql://127.0.0.1:5432/mixer \
--spring.datasource.username=mixewayuser \
--spring.datasource.password=mixewaypassword \
--spring.cloud.vault.token=ffffffff-ffff-ffff-ffff-ffffffffffff \
--spring.cloud.vault.scheme=http \
--spring.cloud.vault.port=8200 \
--spring.cloud.vault.host=MixerVault
REST API will be exposed on port :8443
Mixeway supports multiple authentication methods:
- GitHub OAuth
- Facebook OAuth
- Keycloak OAuth
- x509 Smart Cards
In order to enable GitHub OAuth make sure to properly register mixeway application at GitHub and then set variable:
GITHUB_APP_ID
GITHUB_SECRET
In order to enable Facebook OAuth make sure to properly register mixeway application at Facebook and then set variable:
FACEBOOK_APP_ID
FACEBOOK_SECRET
In order to enable Facebook OAuth make sure to properly register mixeway application at Facebook and then set variable:
KEYCLOAK_REALM
KEYCLOAK_URL
(ending with/auth
)KEYCLOAK_CLIENT_ID
KEYCLOAK_SECRET
xqKEYCLOAK_AUTH_ROLE