Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Owasp glue

359 views

Published on

We all know that running security tests on a CI can gives us a lot of value. And we all know already a few good security tools that we are running or planning to run continuously to ensure our app stays secure. But integrating those tools into the CI is not a simple task. Each one of those tools has it's own API and does not always support all the features we want. For example, we might want to report the finding of each tools as TeamCity tests, or maybe we are using Jira and want to open a new issue for each finding. And what about filtering false positives? Any automated tool will produce false positive findings, but how can we filter them? In this talk I'll demo OWASP Glue - a tool that aims to ease the integration of various security tools into the CI/CD pipeline.
The talk was presented on DevSecOps meetup

Published in: Technology
  • Hello! Get Your Professional Job-Winning Resume Here - Check our website! https://vk.cc/818RFv
       Reply 
    Are you sure you want to  Yes  No
    Your message goes here

Owasp glue

  1. 1. OWASP Glue @omerlh #MeetupAtSoluto April 2018
  2. 2. Why another security tool?
  3. 3. Story Time
  4. 4. https://www.slashgear.com/petya-ransomware-finally-has-a-fix-no-need-to-pay-ransom-12435885/
  5. 5. I should’ve read that report...
  6. 6. Let’s add some Glue
  7. 7. OWASP Glue ● Ease the integration of secure tools ● ”DevSecOps Tool” ● OWASP Open Source Project
  8. 8. Task Target Findings
  9. 9. Findings Filter Report
  10. 10. Currently Supported Tasks ● brakeman ● bundleaudit ● checkmarx ● clamav ● dawnscanner ● eslint ● fim ● findsecbugs ● nsp ● owasp-dep-check ● pmd ● retirejs ● scanjs ● sfl ● sync ● snyk ● OWASP zap
  11. 11. Running Glue OmerL-Mac$ docker run -it soluto/glue:17 glue -h
  12. 12. ”DevSecOps tool” ● Quick win ● Break the build or it doesn’t happen ● Handling false positive ● Keep it DRY
  13. 13. Example from our production TeamCity
  14. 14. Wrap Up ● OWASP Glue ● ”DevSecOps tool” ● Using Glue
  15. 15. What Glue can do for YOU? @omerlh
  16. 16. Moment for Gratitude ● Matt Konda ● Alex Lock ● Rafa Perez
  17. 17. Acknowledgment ● Glue is an OWASP project ● Not active in the past year ● Temporary Maintained by Soluto (fork) ● Actively used by Soluto ● Hope to merge back to master
  18. 18. Now You Can Rest
  19. 19. Questions?
  20. 20. Thank You @omerlh #MeetupAtSoluto

×