We spend a fair amount of time building and using OWASP Glue to improve security automation at clients. The idea is generally to make it easy to run tools from CI/CD (eg. Jenkins) and collect results in JIRA. In a way, Glue is like ThreadFix or other frameworks that collect results from different tools. Recently, we thought it would be cool to extend some of what we were doing to AWS. We have our own scripts we use to examine AWS via APIs but we realized that Scout2 was probably ahead of us and it would be a good place to start.
The fine folks at NCCGroup wrote and open sourced a tool for inspecting AWS security called Scout2. You can use it directly, and we recommend it, based on the description here: https://github.com/nccgroup/Scout2. It produces an HTML report like this:
For most programmers, running Scout2 is easy. It just requires a little bit of python setup and an appropriate AWS profile. So it wasn’t so much the barrier to entry that made us want to integrate it into Glue so much as the idea that we could take the results and integrate them into the workflow (JIRA) that we are using for other findings from other tools. We thought that having an easy way to pull the results together and publish them based on Jenkins would be pretty useful.
What’s Coming with Glue
Glue has been a fun project that we’ve used opportunistically. The next set of goals with Glue is to clean it up, improve tests and documentation and prepare for a legitimate 1.0 release. At that point, we’ll probably also try to get Glue submitted for Lab status as an OWASP project.
Today I gave a talk at a company’s internal security conference about automation. The slides are on speakerdeck. A video is on vimeo.
The point of the talk was threefold:
- Explain where automation works well and examples of where we use it with OWASP Glue
- Explain newish cool automation like cloud analysis and pre-audit preparation
- Talk about how really, automation can only get us so far because we need the interaction and communication to fix things
I’d be interested to hear feedback!
There have been several recent improvements with Glue. Its been awesome to have more people committing to the project and adding in different ways.
One is related to ZAP integration, which is finally getting more of the attention it needs. Another is related to reporting to JIRA. Still another is a way to fail builds only on certain thresholds of errors. We have also been working on integrations for Contrast and Burp. We’ve added a more representative Jenkins Build Pipeline integration example.
We added support to search for entropy in passwords via TruffleHog.
What would you like to see in Glue? Where do you think we need to be to get to a credible 1.0?
At Jemurai, we contribute extensively to OWASP Glue and use it on some of our projects where it makes sense to tie together automation around security. We kept seeing the same types of integration challenges and found that it was useful to have a common starting point to solve them. It is far from perfect and we would refer people to alternatives like ThreadFix and OWTF
What is Glue?
Glue is basically a Ruby gem (library) that knows how to run a variety of security tools, normalize the output to a set structure and then push the output to known useful places like Jira. We package Glue in a docker image to try to make it easy to set up all the different important moving parts (eg. Java, Python, Ruby and tools). You can get and run Glue from docker as easy as:
docker run owasp/glue:0.9.3
Or, for a more helpful example, we can run brakeman and get the output as follows:
docker run --rm owasp/glue:0.9.3 -t brakeman https://github.com/Jemurai/triage.git
The idea behind Glue is to be able to process different types of files via Mounters. Then to be able to analyze using different Tasks, filter with different Filters and report with different Reporters (CSV, Jira, Pivotal, etc.). Ultimately, there are the concept of stages that can be easily extended. The reason I’m writing the post today is because I wanted to add a Bandit task and it was so easy that all I had to do was add this one file: https://github.com/OWASP/glue/blob/master/lib/glue/tasks/bandit.rb.
When I was done, you could run bandit from the Glue docker image and push results to Jira or anywhere else:
docker run --rm owasp/glue:0.9.3 -t bandit https://github.com/humphd/have-fun-with-machine-learning.git
The following diagram illustrates the stages of the pipeline of functions that Glue performs.
Check out Glue or reach out if you want to talk about some of the common challenges in security automation.