Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Glue Intro

Matt Konda
October 12, 2018

Glue Intro

In this talk, I walk through the OWASP Glue tool that we contribute to, and describe the architecture and how to add new tasks.

Matt Konda

October 12, 2018
Tweet

More Decks by Matt Konda

Other Decks in Technology

Transcript

  1. OWASP Glue
    Matt Konda
    [email protected]
    [email protected]
    @mkonda

    View Slide

  2. Introduction
    90’s 2006 2014
    Consultant
    Engineer
    Software
    Architect
    Director of
    Engineering
    Rabble Rouser:
    Perl, Java
    Java Applet
    C++
    J2EE
    Spring
    Analytics
    Certificate Authority
    Vulnerability Scanner
    Penetration Test Manager
    Pricing
    Retail
    Banking
    Manufacturing
    Pharma
    Healthcare
    Research
    Ruby
    Rails
    Chicago BSides 2011, 2012
    Defcon Skytalk
    OWASP Chicago, MSP 2013
    AppSec USA 2012, 2013
    ChicagoRuby 2013
    Secure 360
    MS in CS
    Founder
    Consultant
    Agile
    Cloud
    Clojure
    Graph Database
    Independent.
    Focus developers.
    Consulting.
    Domains: Projects:
    DevOps / Automation
    Training
    Coaching
    Code Review
    Plugged in to SDLC
    Consulting
    Assessments
    @mkonda
    [email protected]ai.com
    CEO
    Services.
    Product.
    Teaching
    Growing Teams
    Forward
    OWASP Board
    Lone Star Ruby 2013
    WindyCityRails 2013
    Chicago JUG 2014
    RailsConf 2014
    Converge 2014
    Chicago Coder Conference 2015, 2016
    Goto Chicago 2016
    OWASP Chicago

    View Slide

  3. Team
    • Omer Levi Hevroni
    • (Active Leader)
    • Brian Fore
    • Me
    • Alex Lock
    • Runako Godfrey
    • Rafa Perez
    • Reuben Swartz

    View Slide

  4. Also … I’m term
    limited. ;)

    View Slide

  5. View Slide

  6. Intended to make it easy
    to do security automation.

    View Slide

  7. Task Target Findings

    View Slide

  8. Findings Filter Report

    View Slide

  9. View Slide

  10. Running Glue from Docker
    1. docker run —rm owasp/glue -h
    2. docker run —rm owasp/glue -t brakeman
    https://github.com/Jemurai/triage.git

    View Slide

  11. Running Glue from Docker
    1. docker run —rm owasp/glue -t sfl
    https://github.com/Jemurai/triage.git

    View Slide

  12. Running Glue from Docker
    1. docker run —rm owasp/glue -l code
    https://github.com/Jemurai/triage.git

    View Slide

  13. JIRA Example
    glue -t retire,sfl
    —f jira
    --jira-api-url myjira.atlassian.net
    --jira-api-context ''
    --jira-username youruser
    --jira-password password
    -—jira-project JIRA_PROJECT
    https://github.com/jemurai/triage.git

    View Slide

  14. View Slide

  15. View Slide

  16. Mounter
    Currently: git repo, filesystem, iso, docker image

    View Slide

  17. Mounter
    Currently: clamav, hashdeep
    Files

    View Slide

  18. Mounter
    Currently: brakeman, bundler-audit,
    owasp-dependency-check, secrets in
    source, retire.js, scan.js,
    bandit
    Future: many more possible.
    Designed for extension.
    Files Code

    View Slide

  19. Mounter
    Currently: ZAP (in progress)
    Future: guantlt, nmap.
    Files Code App

    View Slide

  20. Mounter
    Currently: Prevents false positives in JIRA.
    Files Code App Filter

    View Slide

  21. Mounter
    Currently: Reports to JIRA, TeamCity, csv, json, off, text.
    Files Code App Filter Reporter

    View Slide

  22. View Slide

  23. Go live

    View Slide

  24. Extension Points
    • Mounters: mount, supports?
    • Tasks: run, analyze, supported?
    • Filters: filter
    • Reporter: run_report
    Mounter Files Code App Filter Reporter
    “Tasks”

    View Slide

  25. Other Internals
    • Within “Tasks”, each of the files, code and app
    phases of the pipeline can be run selectively.
    Mounter Files Code App Filter Reporter
    “Tasks”

    View Slide

  26. ruby bin/glue
    -l code (Code analysis)
    -d (Turn on debug)
    -f text (Output format)
    /area53/app/

    View Slide

  27. Some checks
    excellent and valid…

    View Slide

  28. Others still noisy …

    View Slide

  29. What if it just automatically
    ran against every
    company github project?

    View Slide

  30. Jenkins

    View Slide

  31. View Slide

  32. View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. View Slide

  37. View Slide

  38. View Slide

  39. View Slide

  40. Recap of “Tasks”
    • File: AV, FIM
    • Code:
    • Secrets: SFL, Trufflehog
    • Ruby/Rails: brakeman, bundler-audit
    • JavaScript: NodeSecurityProject, eslint, retire.js
    • Python: bandit
    • Java: owasp-dependency-check
    • Other: Checkmarx
    • Ingestors: Burp, Contrast
    • Live: ZAP

    View Slide

  41. Using K8S

    View Slide

  42. Using K8S

    View Slide

  43. Help? What’s next?
    • Omer is working on dynamic tasks.
    • Better tests
    • Better documentation
    • More tasks
    • Additional JIRA flows

    View Slide

  44. Let’s do it live.

    View Slide