Skip to content
Matt Konda edited this page Sep 20, 2016 · 3 revisions

Overview

OWASP Glue is intended to be glue that pulls security tools together and produces consistent results. It is intended to be used for integrating different tools to facilitate integrating security into CI/CD.

Design

The basic idea is that Glue is broken into 5 major pieces, all of which can be controlled via the CLI.

Mounters

The idea behind mounters is that you may have to pull source code from git, read a local file, process a zip or tar or even AMI. The mounters are intended to abstract that detail from subsequent processing.

Files

Certain things make sense to do at a file system level. Specifically, for Glue, these are running antivirus (ClamAV) and FIM (hashdeep).

Code

The next stage or set of tools are things that process source code. Examples are brakeman, bundler-audit, owasp-dependency-check, etc.

Live

The next stage is for running unit tests, scanning with ZAP, or otherwise analyzing a site that is live.

Filter

The filters give us a place to reduce the results back down or eliminate known noisy findings. An example of a filter is to consolidate ZAP x-frame-options findings to one finding per scan, instead of one per page. Another is to not create new jira tickets for items already reported to JIRA.

Reporter

The reporters just take the findings and put them out in the specified format. Text, csv, jira are common.

Clone this wiki locally