|
| 1 | +--- |
| 2 | +# SPDX-FileCopyrightText: the secureCodeBox authors |
| 3 | +# |
| 4 | +# SPDX-License-Identifier: Apache-2.0 |
| 5 | + |
| 6 | +title: secureCodeBox as a Service |
| 7 | +author: Sven Strittmatter |
| 8 | +author_title: Core Developer |
| 9 | +author_url: https://github.com/Weltraumschaf |
| 10 | +author_image_url: https://www.gravatar.com/avatar/3fe213284598b5cb69009665902c77a1 |
| 11 | +tags: |
| 12 | + - kubernetes |
| 13 | + - release |
| 14 | + - secureCodeBox |
| 15 | +description: We are launching secureCodeBox as a Service so that you can try it out without your own Kubernetes cluster. |
| 16 | +image: /img/blog/2025-07-10-scbaas-form.jpg |
| 17 | +--- |
| 18 | + |
| 19 | +Have you ever wanted to try out _secureCodeBox_ but don't have a Kubernetes cluster on hand? We have a solution for that: [secureCodeBox as a Service][scbaas]. |
| 20 | + |
| 21 | + |
| 22 | + |
| 23 | +<!--truncate--> |
| 24 | + |
| 25 | +In the last years we gained some attraction with our project, as you can see by the GitHub stars: |
| 26 | + |
| 27 | + |
| 28 | + |
| 29 | +But one of the major concerns we often heard in the past was: |
| 30 | + |
| 31 | +> Nice project, but I don't have a Kubernetes cluster to try it out. |
| 32 | +
|
| 33 | +Setting up a Kubernetes cluster is a major concern if you're not used to it. What seems to be a no-brainer for DevOps Engineers may be show-stopper for e.g. security engineers, pentesters, CISOs, Product Owners, etc. who just want to try it out. |
| 34 | + |
| 35 | +That's the reason why we decided last year to start building [secureCodeBox as a service][scbaas], and now it's in a state where we can put it in front of the public. For that, we set up a dedicated Kubernetes cluster and developed a simple Web UI to interface with secureCodeBox. So you don't need to mess around with `kubectl` on command line 🤗 |
| 36 | + |
| 37 | +At the moment, we do a [very basic cascading scan](https://scb.iteratec.de/about): |
| 38 | + |
| 39 | +1. We scan for all subdomains. |
| 40 | +2. We scan for all open ports on each found hostname. |
| 41 | + |
| 42 | +We plan more elaborated scans for the future, e.g.: |
| 43 | + |
| 44 | +- TLS |
| 45 | +- SSH |
| 46 | +- dangling DNS |
| 47 | +- ... |
| 48 | + |
| 49 | +:::note Is it really that simple? |
| 50 | +Of course not! 😂 |
| 51 | + |
| 52 | +We need to prevent that arbitrary internet users scan random domains they do not own because this could be interpreted as attack, and the owners may sue us. 😬 |
| 53 | + |
| 54 | +To mitigate this, we implemented a _Domain Validation_ process. To validate your domain, you need to add a challenge to your DNS zone, so that we are sure that you "own" this particular domain. Sadly, this raises the bar for technical skills required for use. So either you can administer your DNS zone, or you have someone from operations on hand, who can do that for you. |
| 55 | + |
| 56 | +Also, we require you to accept a very lightweight [terms of use](https://scb.iteratec.de/terms). |
| 57 | +::: |
| 58 | + |
| 59 | +## Why Hosted on a Company Domain? |
| 60 | + |
| 61 | +Maybe you recognized that [secureCodeBox as a service][scbaas] is hosted under a company domain of the [iteratec GmbH](https://www.iteratec.com). _iteratec_ is the main sponsor of _secureCodeBox_. The reason why we host the service there instead under the open source project's domain is for legal reasons. Since we're located in Germany, and we have something called the "Hackerparagraph" (you can be sued for scanning if not permitted by the owner of the scanned systems). To prevent the individual maintainers or maybe the [OWASP](https://www.owasp.org) getting sued, we needed a legal entity to be in charge and as a legal party for the terms of use. Of course, we asked a lawyer. 😉 |
| 62 | + |
| 63 | +[scbaas]: https://scb.iteratec.de |
0 commit comments