We automate because • We don’t have enough resources • Time == Money • Even if we have $ we can’t find people with skills • Survives attrition • We’re not very good at repetitive detailed work • Its actually possible now
Mounter Currently: brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, scan.js Future: many more possible. Designed for extension. Files Code
Other Internals • Within “Tasks”, each of the files, code and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks”
Lab 2: Running Glue on Your Project docker run —rm -v /Users/mk/code/loca:/tmp/target/ owasp/glue:0.9 \ -d \ -t owaspdependencycheck \ -f csv \ /tmp/target/ * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
Lab 2: Running Glue on Your Project 1. docker run —name glue owasp/glue:0.9 2.docker exec -it glue bash docker ps FIND YOUR IMAGE NAME * Due to docker ease of setup, please use a directory within your home directory. It is possible to do this in other ways, but it requires further setup of shared folders in virtual box which we want to avoid for the purposes of this workshop.
Lab 3: Getting into the Glue Docker Image 1. docker run -rm —i -t —entrypoint=/ bin/bash owasp/glue:0.9 2. cd lib 3. ../bin/glue -h Now you’re running from source. We can change anything …
Key Takeaways • Make it portable • Put results in JIRA (or Pivotal or wherever developers are working) • Minimize / reduce noise • Start small and grow into it
Stage 0 • Hope your dev teams are using some kind of continuous integration eg. Jenkins • Hope your dev teams have a process you can build into. • Hope your team has some coding skills.
Certbot • Certificate expiring monkey • No that’s not a real thing … yet • But we can use Let’sEncrypt or Vault and some scripting to ensure our internal net is all mutually authenticated TLS.