At Jemurai, we contribute extensively to OWASP Glue and use it on some of our projects where it makes sense to tie together automation around security. We kept seeing the same types of integration challenges and found that it was useful to have a common starting point to solve them. It is far from perfect and we would refer people to alternatives like ThreadFix and OWTF
What is Glue?
Glue is basically a Ruby gem (library) that knows how to run a variety of security tools, normalize the output to a set structure and then push the output to known useful places like Jira. We package Glue in a docker image to try to make it easy to set up all the different important moving parts (eg. Java, Python, Ruby and tools). You can get and run Glue from docker as easy as:
docker run owasp/glue:0.9.3
Or, for a more helpful example, we can run brakeman and get the output as follows:
docker run --rm owasp/glue:0.9.3 -t brakeman https://github.com/Jemurai/triage.git
The idea behind Glue is to be able to process different types of files via Mounters. Then to be able to analyze using different Tasks, filter with different Filters and report with different Reporters (CSV, Jira, Pivotal, etc.). Ultimately, there are the concept of stages that can be easily extended. The reason I’m writing the post today is because I wanted to add a Bandit task and it was so easy that all I had to do was add this one file: https://github.com/OWASP/glue/blob/master/lib/glue/tasks/bandit.rb.
When I was done, you could run bandit from the Glue docker image and push results to Jira or anywhere else:
docker run --rm owasp/glue:0.9.3 -t bandit https://github.com/humphd/have-fun-with-machine-learning.git
The following diagram illustrates the stages of the pipeline of functions that Glue performs.
Check out Glue or reach out if you want to talk about some of the common challenges in security automation.