logo
securityArticlesConferencesPresentations

Do more with less screen-time, a modern Application Security Toolchain.

Conference:  Global AppSec Dublin 2023

2023-02-15

Authors:   Spyros Gasteratos

Summary

The presentation introduces a free and open source Application Security Toolchain Framework that unifies multiple security tools and allows for per-team configuration, conditional tool execution, and automated reporting. The framework is low to no code, platform-agnostic, and community-driven.
  • Automated security testing has brought an abundance of signal about codebases and infrastructure without much manual effort, but managing findings and triaging false positives is time-consuming and results in hiring more security experts.
  • The Application Security Toolchain Framework unifies multiple security tools and allows for per-team configuration, conditional tool execution, and automated reporting to different sinks based on code ownership.
  • The framework is low to no code, platform-agnostic, and community-driven, with integrations for several scanners both under the OWASP umbrella and not.
  • The framework allows for scheduling tool execution against both code and infrastructure, aggregating results from different tools, enriching them using several processors, and consuming them with a multitude of visualization platforms.
  • The framework is demonstrated through a tool called Dracon, which unifies security tool execution and results management.
  • The community-driven aspect of the framework allows for integration with a wide range of security tools and provides an idea of which tools are more popular based on their integrations.
The presentation describes a scenario where a small security team in a fast-paced fintech environment with no budget for security tools needed to scale their efforts and serve every team in the organization. The team created an open source integration framework that unifies multiple free and open source security tools and allows for customization per team. The framework was successful in unifying security efforts and making security seamless for development teams.

Abstract

Automated security testing has brought security teams an abundance of signal about codebases and infrastrucure without much manual effort. However, we now spend a lot of time triaging false positives and managing findings This doesn’t scale and results in us hiring more security experts as vulnerability pushers.Due to that, many teams struggle to achieve time-saving features like per-team configuration, conditional tool execution and automated reporting to different sinks based on code ownership.In this talk, we bring you a new free and open source Application Security Toolchain Framework with integrations for several scanners both under the OWASP umbrella and not.This allows security teams to schedule tool execution against both code and infrastructure, aggregate the results from many different tools, enrich them using several processors and finally consume them with a multitude of visualization platforms. All in a safe, performant and platform-agnostic way.
Materials:
Tags:
automation
testing
tools
framework

Post a comment

Related work