Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Glue Intro

Matt Konda
October 12, 2018
Technology
0
76

Glue Intro

In this talk, I walk through the OWASP Glue tool that we contribute to, and describe the architecture and how to add new tasks.

Matt Konda

October 12, 2018
Tweet

More Decks by Matt Konda

See All by Matt Konda
Automate All of the Things
mkonda
0
160
Building Rugged Software in a DevOps World
mkonda
0
87
What is Rugged all about?
mkonda
1
78
Real World Security Testing
mkonda
1
91
Security Automation Pipeline
mkonda
1
180
Security Automation Workshop
mkonda
0
48
Rationalizing Security
mkonda
0
48
Application Security Landscape
mkonda
0
56
Security and DevOps
mkonda
0
81

Other Decks in Technology

See All in Technology
社内でChatGPTを利用するためのガイドラインを整備した話
yoshikieguchi
0
720
既存システムのコンテナ化で得られた知見と、 全然関係ないけど自炊を支える技術
matsuihidetoshi
0
530
心理的安全性に対して個人とチームで取り組んできたこと
hiro_torii
1
420
AWS CDKにテストは必要?試行錯誤したスクラム開発事例を紹介!/CdkConJp2023
mhrtech
2
840
C# の async/await は実際にどうやって動いているか
nenonaninu
1
8.4k
サーバーレスサービスの特徴と アプリケーションの考え方 / Characteristics of serverless services and Concept of application
_kensh
0
120
CyberAgent AI事業本部MLOps研修基礎編
hosimesi11
2
310
複数AWSアカウントに リソース構築する時 どうしてますか?
honma12345
0
370
これから始める継続的インテグレーション - GitHub Actions編
devops_vtj
0
130
Keynote: Kishore Gopalakrishna, StarTree - The Rise of Real-Time Analytics | RTA Summit 2023
startree
PRO
0
120
OpenAI社のWhisper APIを使ってみた! / ChatGPT研究会 第7弾 (ALGYAN)
you
0
260
『AWSではじめるクラウドセキュリティ』の裏側を。
ryohatanmonolog
2
170

Featured

See All Featured
Thoughts on Productivity
jonyablonski
52
2.9k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
3
540
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
9
770
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
123
29k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
35
9.5k
The Invisible Customer
myddelton
113
12k
Scaling GitHub
holman
453
140k
Put a Button on it: Removing Barriers to Going Fast.
kastner
56
2.6k
Making the Leap to Tech Lead
cromwellryan
118
7.8k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
15
1.2k
Fireside Chat
paigeccino
18
2.1k

Transcript

  1. OWASP Glue
    Matt Konda
    [email protected]
    [email protected]
    @mkonda

    View Slide

  2. Introduction
    90’s 2006 2014
    Consultant
    Engineer
    Software
    Architect
    Director of
    Engineering
    Rabble Rouser:
    Perl, Java
    Java Applet
    C++
    J2EE
    Spring
    Analytics
    Certificate Authority
    Vulnerability Scanner
    Penetration Test Manager
    Pricing
    Retail
    Banking
    Manufacturing
    Pharma
    Healthcare
    Research
    Ruby
    Rails
    Chicago BSides 2011, 2012
    Defcon Skytalk
    OWASP Chicago, MSP 2013
    AppSec USA 2012, 2013
    ChicagoRuby 2013
    Secure 360
    MS in CS
    Founder
    Consultant
    Agile
    Cloud
    Clojure
    Graph Database
    Independent.
    Focus developers.
    Consulting.
    Domains: Projects:
    DevOps / Automation
    Training
    Coaching
    Code Review
    Plugged in to SDLC
    Consulting
    Assessments
    @mkonda
    [email protected]ai.com
    CEO
    Services.
    Product.
    Teaching
    Growing Teams
    Forward
    OWASP Board
    Lone Star Ruby 2013
    WindyCityRails 2013
    Chicago JUG 2014
    RailsConf 2014
    Converge 2014
    Chicago Coder Conference 2015, 2016
    Goto Chicago 2016
    OWASP Chicago

    View Slide

  3. Team
    • Omer Levi Hevroni
    • (Active Leader)
    • Brian Fore
    • Me
    • Alex Lock
    • Runako Godfrey
    • Rafa Perez
    • Reuben Swartz

    View Slide

  4. Also … I’m term
    limited. ;)

    View Slide

  5. View Slide

  6. Intended to make it easy
    to do security automation.

    View Slide

  7. Task Target Findings

    View Slide

  8. Findings Filter Report

    View Slide

  9. View Slide

  10. Running Glue from Docker
    1. docker run —rm owasp/glue -h
    2. docker run —rm owasp/glue -t brakeman
    https://github.com/Jemurai/triage.git

    View Slide

  11. Running Glue from Docker
    1. docker run —rm owasp/glue -t sfl
    https://github.com/Jemurai/triage.git

    View Slide

  12. Running Glue from Docker
    1. docker run —rm owasp/glue -l code
    https://github.com/Jemurai/triage.git

    View Slide

  13. JIRA Example
    glue -t retire,sfl
    —f jira
    --jira-api-url myjira.atlassian.net
    --jira-api-context ''
    --jira-username youruser
    --jira-password password
    -—jira-project JIRA_PROJECT
    https://github.com/jemurai/triage.git

    View Slide

  14. View Slide

  15. View Slide

  16. Mounter
    Currently: git repo, filesystem, iso, docker image

    View Slide

  17. Mounter
    Currently: clamav, hashdeep
    Files

    View Slide

  18. Mounter
    Currently: brakeman, bundler-audit,
    owasp-dependency-check, secrets in
    source, retire.js, scan.js,
    bandit
    Future: many more possible.
    Designed for extension.
    Files Code

    View Slide

  19. Mounter
    Currently: ZAP (in progress)
    Future: guantlt, nmap.
    Files Code App

    View Slide

  20. Mounter
    Currently: Prevents false positives in JIRA.
    Files Code App Filter

    View Slide

  21. Mounter
    Currently: Reports to JIRA, TeamCity, csv, json, off, text.
    Files Code App Filter Reporter

    View Slide

  22. View Slide

  23. Go live

    View Slide

  24. Extension Points
    • Mounters: mount, supports?
    • Tasks: run, analyze, supported?
    • Filters: filter
    • Reporter: run_report
    Mounter Files Code App Filter Reporter
    “Tasks”

    View Slide

  25. Other Internals
    • Within “Tasks”, each of the files, code and app
    phases of the pipeline can be run selectively.
    Mounter Files Code App Filter Reporter
    “Tasks”

    View Slide

  26. ruby bin/glue
    -l code (Code analysis)
    -d (Turn on debug)
    -f text (Output format)
    /area53/app/

    View Slide

  27. Some checks
    excellent and valid…

    View Slide

  28. Others still noisy …

    View Slide

  29. What if it just automatically
    ran against every
    company github project?

    View Slide

  30. Jenkins

    View Slide

  31. View Slide

  32. View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. View Slide

  37. View Slide

  38. View Slide

  39. View Slide

  40. Recap of “Tasks”
    • File: AV, FIM
    • Code:
    • Secrets: SFL, Trufflehog
    • Ruby/Rails: brakeman, bundler-audit
    • JavaScript: NodeSecurityProject, eslint, retire.js
    • Python: bandit
    • Java: owasp-dependency-check
    • Other: Checkmarx
    • Ingestors: Burp, Contrast
    • Live: ZAP

    View Slide

  41. Using K8S

    View Slide

  42. Using K8S

    View Slide

  43. Help? What’s next?
    • Omer is working on dynamic tasks.
    • Better tests
    • Better documentation
    • More tasks
    • Additional JIRA flows

    View Slide

  44. Let’s do it live.

    View Slide