Glue Intro

Transcript

1. OWASP Glue Matt Konda matt.konda@owasp.org mkonda@jemurai.com @mkonda

2. Introduction 90’s 2006 2014 Consultant Engineer Software Architect Director of

   Engineering Rabble Rouser: Perl, Java Java Applet C++ J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 MS in CS Founder Consultant Agile Cloud Clojure Graph Database Independent. Focus developers. Consulting. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda mkonda@jemurai.com CEO Services. Product. Teaching Growing Teams Forward OWASP Board Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015, 2016 Goto Chicago 2016 OWASP Chicago

3. Team • Omer Levi Hevroni • (Active Leader) • Brian

   Fore • Me • Alex Lock • Runako Godfrey • Rafa Perez • Reuben Swartz

4. Also … I’m term limited. ;)

5. None

6. Intended to make it easy to do security automation.

7. Task Target Findings

8. Findings Filter Report

9. None

10. Running Glue from Docker 1. docker run —rm owasp/glue -h

    2. docker run —rm owasp/glue -t brakeman https://github.com/Jemurai/triage.git

11. Running Glue from Docker 1. docker run —rm owasp/glue -t

    sfl https://github.com/Jemurai/triage.git

12. Running Glue from Docker 1. docker run —rm owasp/glue -l

    code https://github.com/Jemurai/triage.git

13. JIRA Example glue -t retire,sfl —f jira --jira-api-url myjira.atlassian.net --jira-api-context

    '' --jira-username youruser --jira-password password -—jira-project JIRA_PROJECT https://github.com/jemurai/triage.git
14. None
15. None

16. Mounter Currently: git repo, filesystem, iso, docker image

17. Mounter Currently: clamav, hashdeep Files

18. Mounter Currently: brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, scan.js,

    bandit Future: many more possible. Designed for extension. Files Code

19. Mounter Currently: ZAP (in progress) Future: guantlt, nmap. Files Code

    App

20. Mounter Currently: Prevents false positives in JIRA. Files Code App

    Filter

21. Mounter Currently: Reports to JIRA, TeamCity, csv, json, off, text.

    Files Code App Filter Reporter
22. None

23. Go live

24. Extension Points • Mounters: mount, supports? • Tasks: run, analyze,

    supported? • Filters: filter • Reporter: run_report Mounter Files Code App Filter Reporter “Tasks”

25. Other Internals • Within “Tasks”, each of the files, code

    and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks”

26. ruby bin/glue -l code (Code analysis) -d (Turn on debug)

    -f text (Output format) /area53/app/

27. Some checks excellent and valid…

28. Others still noisy …

29. What if it just automatically ran against every company github

    project?

30. Jenkins

31. None
32. None
33. None
34. None
35. None
36. None
37. None
38. None
39. None

40. Recap of “Tasks” • File: AV, FIM • Code: •

    Secrets: SFL, Trufflehog • Ruby/Rails: brakeman, bundler-audit • JavaScript: NodeSecurityProject, eslint, retire.js • Python: bandit • Java: owasp-dependency-check • Other: Checkmarx • Ingestors: Burp, Contrast • Live: ZAP

41. Using K8S

42. Using K8S

43. Help? What’s next? • Omer is working on dynamic tasks.

    • Better tests • Better documentation • More tasks • Additional JIRA flows

44. Let’s do it live.