secureCodeBox logo Powered by OWASP secureCodeBox

secureCodeBox as a Service

secureCodeBox as a Service is a simple web UI to provide easy access to try out the secureCodeBox. The secureCodeBox is a Kubernetes-based system for orchestrating various security scanners. This means that a Kubernetes cluster is required for the installation. However, since this is quite a demanding prerequisite just to test the secureCodeBox, we have created secureCodeBox as a Service.

To minimise this challenge and thus make the secureCodeBox accessible to a wider audience, we operate the necessary Kubernetes cluster and provide a dedicated installation of secureCodeBox. In addition, secureCodeBox as a Service offers a simple web-based user interface for interacting with the secureCodeBox:

Overview of the main components.

How does a scan actually work?

In principle, almost any scans can be carried out with the secureCodeBox, even in combination. However, this requires in-depth knowledge in order to configure the scanners. To simplify this step, we offer a predefined scan scenario:

Scan process

  1. Enter the domain you want to scan (e.g. "example.com").
  2. A sub-domain scan is then carried out to find all hosts that can be reached under the domain. We have configured the Amass scanner for this purpose.
  3. A port scan is then performed for each host found (e.g. "www.example.com", "mail.example.com", "secret.example.com", ...). This identifies open ports and the services (e.g. web server, mail server, etc.) running on these ports. We have configured the Nmap scanner for this purpose.
  4. At the end, a list of all hosts found and their open ports and services is displayed in the web UI.

Data protection and security

To ensure that not just anyone can scan any domain, we carry out a so-called domain validation. This means that after entering the domain to be scanned, a cryptographically randomised value must be stored in the DNS (Domain Name System) of the domain entered. We query this value in the DNS before the scan. This ensures that the person who wants to perform a scan is the administrative owner of the domain and is authorised to perform this scan. Further details are regulated in the licence agreement.

In principle, however, anyone who is able to operate the scanners used (Amass, Nmap etc.) can also carry out the scan described above themselves without the secureCodeBox. Therefore, the scan and especially the results page are not protected by a login. However, to ensure that this information cannot simply be found by search engines, a random, unguessable URL is generated for each scan. Therefore, do not pass on this URL if you do not want others to have easy access to the results.

A scan and the results found are stored and retained for seven days. After that, the data is irretrievably deleted! We only store which domain was scanned from which IP address for a maximum of three years in order to be able to investigate any cases of misuse (see data protection).