Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Glue Intro

Matt Konda
October 12, 2018

Glue Intro

In this talk, I walk through the OWASP Glue tool that we contribute to, and describe the architecture and how to add new tasks.

Matt Konda

October 12, 2018

More Decks by Matt Konda

Other Decks in Technology


  1. Introduction 90’s 2006 2014 Consultant Engineer Software Architect Director of

    Engineering Rabble Rouser: Perl, Java Java Applet C++ J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 MS in CS Founder Consultant Agile Cloud Clojure Graph Database Independent. Focus developers. Consulting. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] CEO Services. Product. Teaching Growing Teams Forward OWASP Board Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015, 2016 Goto Chicago 2016 OWASP Chicago
  2. Team • Omer Levi Hevroni • (Active Leader) • Brian

    Fore • Me • Alex Lock • Runako Godfrey • Rafa Perez • Reuben Swartz
  3. Running Glue from Docker 1. docker run —rm owasp/glue -h

    2. docker run —rm owasp/glue -t brakeman https://github.com/Jemurai/triage.git
  4. Running Glue from Docker 1. docker run —rm owasp/glue -t

    sfl https://github.com/Jemurai/triage.git
  5. Running Glue from Docker 1. docker run —rm owasp/glue -l

    code https://github.com/Jemurai/triage.git
  6. JIRA Example glue -t retire,sfl —f jira --jira-api-url myjira.atlassian.net --jira-api-context

    '' --jira-username youruser --jira-password password -—jira-project JIRA_PROJECT https://github.com/jemurai/triage.git
  7. Mounter Currently: brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, scan.js,

    bandit Future: many more possible. Designed for extension. Files Code
  8. Extension Points • Mounters: mount, supports? • Tasks: run, analyze,

    supported? • Filters: filter • Reporter: run_report Mounter Files Code App Filter Reporter “Tasks”
  9. Other Internals • Within “Tasks”, each of the files, code

    and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks”
  10. ruby bin/glue -l code (Code analysis) -d (Turn on debug)

    -f text (Output format) /area53/app/
  11. Recap of “Tasks” • File: AV, FIM • Code: •

    Secrets: SFL, Trufflehog • Ruby/Rails: brakeman, bundler-audit • JavaScript: NodeSecurityProject, eslint, retire.js • Python: bandit • Java: owasp-dependency-check • Other: Checkmarx • Ingestors: Burp, Contrast • Live: ZAP
  12. Help? What’s next? • Omer is working on dynamic tasks.

    • Better tests • Better documentation • More tasks • Additional JIRA flows