We automate because • We don’t have enough resources • Time == Money • Even if we have $ we can’t find people with skills • Survives attrition • We’re not very good at repetitive detailed work • Its actually possible now
Mounter Currently: brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, scan.js Future: many more possible. Designed for extension. Files Code
Other Internals • Within “Tasks”, each of the files, code and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks”
Lab 2: Running Glue on Your Project docker run —rm -v /Users/mk/code/loca:/tmp/target/ owasp/glue:0.9 \ -d \ -t owaspdependencycheck \ -f csv \ /tmp/target/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
Lab 2: Running Glue on Your Project 1. docker run —name glue owasp/glue:0.9 2.docker exec -it glue bash docker ps FIND YOUR IMAGE NAME * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
Lab 3: Getting into the Glue Docker Image 1. docker run -rm —i -t —entrypoint=/ bin/bash owasp/glue:0.9 2. cd lib 3. ../bin/glue -h Now you’re running from source. We can change anything …
Key Takeaways • Make it portable • Put results in JIRA (or Pivotal or wherever developers are working) • Minimize / reduce noise • Start small and grow into it
Stage 0 • Hope your dev teams are using some kind of continuous integration eg. Jenkins • Hope your dev teams have a process you can build into. • Hope your team has some coding skills.
Certbot • Certificate expiring monkey • No that’s not a real thing … yet • But we can use Let’sEncrypt or Vault and some scripting to ensure our internal net is all mutually authenticated TLS.
mkonda
pospome
mot_techtalk
kiyoshiro
rabbitmagician1
star_zero
iimokoy
elainenaomi
maroon1st
akitotsukahara
uhooi
teamlab
chatwork_hr
morganepeng
marcelosomers
tmm1
eileencodes
soudai
marcduiker
sonatard
keavy
jponch
tanoku
bryan
paulrobertlloyd