OWASP Glue Matt Konda [email protected] [email protected] @mkonda 

Introduction 90’s 2006 2014 Consultant Engineer Software Architect Director of Engineering Rabble Rouser: Perl, Java Java Applet C++ J2EE Spring Analytics Certificate Authority Vulnerability Scanner Penetration Test Manager Pricing Retail Banking Manufacturing Pharma Healthcare Research Ruby Rails Chicago BSides 2011, 2012 Defcon Skytalk OWASP Chicago, MSP 2013 AppSec USA 2012, 2013 ChicagoRuby 2013 Secure 360 MS in CS Founder Consultant Agile Cloud Clojure Graph Database Independent. Focus developers. Consulting. Domains: Projects: DevOps / Automation Training Coaching Code Review Plugged in to SDLC Consulting Assessments @mkonda [email protected] CEO Services. Product. Teaching Growing Teams Forward OWASP Board Lone Star Ruby 2013 WindyCityRails 2013 Chicago JUG 2014 RailsConf 2014 Converge 2014 Chicago Coder Conference 2015, 2016 Goto Chicago 2016 OWASP Chicago 

Team • Omer Levi Hevroni • (Active Leader) • Brian Fore • Me • Alex Lock • Runako Godfrey • Rafa Perez • Reuben Swartz 

Also … I’m term limited. ;) 

No content

Intended to make it easy to do security automation. 

Task Target Findings 

Findings Filter Report 

No content

Running Glue from Docker 1. docker run —rm owasp/glue -h 2. docker run —rm owasp/glue -t brakeman https://github.com/Jemurai/triage.git 

Running Glue from Docker 1. docker run —rm owasp/glue -t sfl https://github.com/Jemurai/triage.git 

Running Glue from Docker 1. docker run —rm owasp/glue -l code https://github.com/Jemurai/triage.git 

JIRA Example glue -t retire,sfl —f jira --jira-api-url myjira.atlassian.net --jira-api-context '' --jira-username youruser --jira-password password -—jira-project JIRA_PROJECT https://github.com/jemurai/triage.git 

No content

No content

Mounter Currently: git repo, filesystem, iso, docker image 

Mounter Currently: clamav, hashdeep Files 

Mounter Currently: brakeman, bundler-audit, owasp-dependency-check, secrets in source, retire.js, scan.js, bandit Future: many more possible. Designed for extension. Files Code 

Mounter Currently: ZAP (in progress) Future: guantlt, nmap. Files Code App 

Mounter Currently: Prevents false positives in JIRA. Files Code App Filter 

Mounter Currently: Reports to JIRA, TeamCity, csv, json, off, text. Files Code App Filter Reporter 

No content

Go live 

Extension Points • Mounters: mount, supports? • Tasks: run, analyze, supported? • Filters: filter • Reporter: run_report Mounter Files Code App Filter Reporter “Tasks” 

Other Internals • Within “Tasks”, each of the files, code and app phases of the pipeline can be run selectively. Mounter Files Code App Filter Reporter “Tasks” 

ruby bin/glue -l code (Code analysis) -d (Turn on debug) -f text (Output format) /area53/app/ 

Some checks excellent and valid… 

Others still noisy … 

What if it just automatically ran against every company github project? 

Jenkins 

No content

No content

No content

No content

No content

No content

No content

No content

No content

Recap of “Tasks” • File: AV, FIM • Code: • Secrets: SFL, Trufflehog • Ruby/Rails: brakeman, bundler-audit • JavaScript: NodeSecurityProject, eslint, retire.js • Python: bandit • Java: owasp-dependency-check • Other: Checkmarx • Ingestors: Burp, Contrast • Live: ZAP 

Using K8S 

Using K8S 

Help? What’s next? • Omer is working on dynamic tasks. • Better tests • Better documentation • More tasks • Additional JIRA flows 

Let’s do it live.