16
Help us understand the problem. What are the problem?

More than 5 years have passed since last update.

posted at

updated at

Organization

Security-JAWS#3 Integrate Vuls with OWASP Dependency Check. To enable automatic update of vuls config when the programming language libraries are update.

Security-JAWS#3 Integrate Vuls with OWASP Dependency Check. To enable automatic update of vuls config when the programming language libraries are update.

by kotakanbe@github
1 / 25

This slide was used in Security-JAWS 【第3回】2016年10月28日(金)
2016/10/28 @ Tokyo

vuls_logo.png


Who am I


Vulnerability Management on AWS

Amazon Inspector is awesome
_SEC324__NEW__Introducing_Amazon_Inspector.png

Inspector can scan only OS packages.
We need to manage vulnerabilities of programming language libraries.
Today, I talk about how to manage it automatically and the way to notify the scan report by slack or E-Mail in Japanese by using Vuls and OWASP Dependency Check.


Vuls (VULnerability Scanner)


What's Vuls

vuls.png


Buzzed All Over The World

Star_history.png


Got First Place In GitHub Trending

2016/10/1 All Language
image002.png


Architecture

vuls-architecture.png


Features (日本語)

  • Scan for any vulnerabilities in Linux/FreeBSD Server
    • Supports Ubuntu, Debian, CentOS, Amazon Linux, RHEL, FreeBSD
    • Cloud, on-premise, Docker
  • Scan middleware that are not included in OS package management
    • Scan N/W Devices, middleware, programming language libraries and framework for vulnerability
    • Support software registered in CPE (日本語)
  • Agentless architecture
    • User is required to only setup one machine that is connected to other target servers via SSH
  • Nondestructive testing
  • Pre-authorization is not necessary before scanning on AWS
  • Email and Slack notification are both available. (supports Japanese language)
  • Scan result is viewable on accessory software, TUI Viewer terminal or Web UI (VulsRepo).

Usage: Scan vulnerabilities of non-OS packages

README , README日本語

[servers]

[servers.172-31-4-82]
host         = "172.31.4.82"
user        = "ec2-user"
keyPath     = "/home/username/.ssh/id_rsa"
cpeNames = [
  "cpe:/a:rubyonrails:ruby_on_rails:4.2.1",
]

Sample: NVD Vulnerability Database

  <entry id="CVE-2016-2098">
    <vuln:vulnerable-software-list>
      ...
      <vuln:product>cpe:/a:rubyonrails:ruby_on_rails:4.2.1</vuln:product>
      ...
    </vuln:vulnerable-software-list>
    <vuln:cve-id>CVE-2016-2098</vuln:cve-id>
    <vuln:cvss>
      <cvss:base_metrics>
        <cvss:score>7.5</cvss:score>
        <cvss:access-vector>NETWORK</cvss:access-vector>
        ...
    </vuln:cvss>
    ...
    <vuln:cwe id="CWE-20"/>
    <vuln:summary>Action Pack in Ruby on Rails before 3.2.22.2, 4.x before 4.1.14.2, and 4.2.x before 4.2.5.2 allows remote attackers to execute arbitrary Ruby code by leveraging an application's unrestricted use of the render method.</vuln:summary>
  </entry> 

How to find CPE names of libraries


OWASP Dependency Check

  • Dependency-Check is a utility that identifies project dependencies
  • checks if there are any known, publicly disclosed, vulnerabilities.
  • Currently Java and .NET are supported;
  • additional experimental support has been added for Ruby, Node.js, Python, and limited support for C/C++ build systems (autoconf and cmake).

組み込んだOSSコンポーネントの更新漏れを可視化する「OWASP_Dependency_Check」__2_5_:CodeZine(コードジン).png


OWASP Dependency Check Report


Integrate with OWASP Dependency Check

  • #232
  • Execute OWASP Dependency Check with --format=XML option.
  • Define the xml file path of dependency check in config.toml.
[servers.u16]
host     = "127.0.0.1"
port     = "22"
user     = "vuls"
keyPath  = "/path/to/.ssh/id_rsa"
dependencyCheckXMLPath = "/tmp/dependency-check-report.xml"

Demo


Benefit Of Integrating Vuls And OWASP Dependency Check

  • Automatic Update of Vuls config when the libraries are updated.
  • Reporting in Japanese
    • OWASP Dependency Check supports only English
  • Reporting by Email or Slack by using Vuls.

Tagging To EC2


What I'm planning to do next


Presentation (in Japan)


How To Catchup Vuls


We Are Hiring Hacker And Engineer!

If you are interested, please contact me ( Twitter: @kotakanbe )


Thanks

Give a GitHub Star if you are interested :)

Why not register and get more from Qiita?
  1. We will deliver articles that match you
    By following users and tags, you can catch up information on technical fields that you are interested in as a whole
  2. you can read useful information later efficiently
    By "stocking" the articles you like, you can search right away
Sign upLogin
16
Help us understand the problem. What are the problem?