This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Jupiter"

From OWASP
Jump to: navigation, search
m (Jupiter logo)
m (Formatting)
Line 4: Line 4:
 
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
 
| style="border-right: 1px dotted gray;padding-right:25px;" valign="top" |
 
== Introduction ==
 
== Introduction ==
An Application Security program is more successful when coverage of its processes and tooling can be proven. Unfortunately, software inventory lists consist of some custom-written applications for an organization but also include systems and software that aren't in scope for a traditional AppSec program (Active Directory or Adobe Reader, for instance).
+
{|
 +
|An Application Security program is more successful when coverage of its processes and tooling can be proven. Unfortunately, software inventory lists consist of some custom-written applications for an organization but also include systems and software that aren't in scope for a traditional AppSec program (Active Directory or Adobe Reader, for instance).
  
 
Making matters worse, organizations are constantly transforming the ways they operate. New software is being written and deployed every day:
 
Making matters worse, organizations are constantly transforming the ways they operate. New software is being written and deployed every day:
Line 16: Line 17:
  
 
If "who owns this?" or "did you know this was in production?" sounds familiar, you're not alone.
 
If "who owns this?" or "did you know this was in production?" sounds familiar, you're not alone.
 +
|}
  
 
== OWASP Jupiter - Application Inventory Management System ==
 
== OWASP Jupiter - Application Inventory Management System ==
Existing DevOps processes already know what software is being built and when it is being deployed.
+
{|
 
+
| colspan="2" |Existing DevOps processes already know what software is being built and when it is being deployed.
What if we leveraged those DevOps processes to gather crucial information about the organization’s software applications?[[File:Jupiter.png|left|frameless|200x200px]]
 
 
 
Having quality application inventory data enables:
 
  
 +
What if we leveraged those DevOps processes to gather crucial information about the organization’s software applications?
 +
|-
 +
|[[File:Jupiter.png|left|frameless|200x200px]]
 +
|Having quality application inventory data enables:
 
* Improved insight into what is being built and deployed across the software portfolio
 
* Improved insight into what is being built and deployed across the software portfolio
 
* Efficient onboarding to Application Security tools and processes (static analysis, dynamic analysis, open source software component analysis, penetration testing, vulnerability management)
 
* Efficient onboarding to Application Security tools and processes (static analysis, dynamic analysis, open source software component analysis, penetration testing, vulnerability management)
 
* Enhanced metrics capabilities to determine tool and process coverage as well as the organization’s Application Security maturity level
 
* Enhanced metrics capabilities to determine tool and process coverage as well as the organization’s Application Security maturity level
 +
|}
  
 
== High Level Design ==
 
== High Level Design ==
[[File:Jupiter HLD.png|alt=Jupiter High Level Design|thumb|Jupiter High Level Design]]Jupiter is a microservice-based solution that consists of several components.
+
{|
 +
|Jupiter is a microservice-based solution that consists of several components.
  
 
First, the '''Inventory Antecessor Collector Service''' can gather primitive inventory data (antecessors) directly from DevOps tools, such as continuous integration servers like Jenkins via the '''Jupiter Inventory Plugin''', when the software is built and deployed.
 
First, the '''Inventory Antecessor Collector Service''' can gather primitive inventory data (antecessors) directly from DevOps tools, such as continuous integration servers like Jenkins via the '''Jupiter Inventory Plugin''', when the software is built and deployed.
  
 
The '''Inventory Management Console''' connects to the collector service and facilitates enrichment of the antecessor data into “gold records” representing an application.  These records are stored by the '''Curated Inventory Service''' via REST API or through the management console.
 
The '''Inventory Management Console''' connects to the collector service and facilitates enrichment of the antecessor data into “gold records” representing an application.  These records are stored by the '''Curated Inventory Service''' via REST API or through the management console.
 +
|[[File:Jupiter HLD.png|alt=Jupiter High Level Design|thumb|Jupiter High Level Design]]
 +
|}
  
 
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |
 
| style="padding-left:25px;width:200px;border-right: 1px dotted gray;padding-right:25px;" valign="top" |

Revision as of 20:49, 23 March 2019

OWASP Project Header.jpg

Introduction

An Application Security program is more successful when coverage of its processes and tooling can be proven. Unfortunately, software inventory lists consist of some custom-written applications for an organization but also include systems and software that aren't in scope for a traditional AppSec program (Active Directory or Adobe Reader, for instance).

Making matters worse, organizations are constantly transforming the ways they operate. New software is being written and deployed every day:

  • Microservices
  • Marketing sites
  • Batch jobs
  • New e-commerce features
  • Mobile apps

Traditional ITAM solutions aren't tracking these custom-written applications that are the lifeblood of your organization because they aren't designed to find them.

If "who owns this?" or "did you know this was in production?" sounds familiar, you're not alone.

OWASP Jupiter - Application Inventory Management System

Existing DevOps processes already know what software is being built and when it is being deployed.

What if we leveraged those DevOps processes to gather crucial information about the organization’s software applications?

Jupiter.png
 Having quality application inventory data enables:
  • Improved insight into what is being built and deployed across the software portfolio
  • Efficient onboarding to Application Security tools and processes (static analysis, dynamic analysis, open source software component analysis, penetration testing, vulnerability management)
  • Enhanced metrics capabilities to determine tool and process coverage as well as the organization’s Application Security maturity level

High Level Design

Jupiter is a microservice-based solution that consists of several components.

First, the Inventory Antecessor Collector Service can gather primitive inventory data (antecessors) directly from DevOps tools, such as continuous integration servers like Jenkins via the Jupiter Inventory Plugin, when the software is built and deployed.

The Inventory Management Console connects to the collector service and facilitates enrichment of the antecessor data into “gold records” representing an application.  These records are stored by the Curated Inventory Service via REST API or through the management console.

Jupiter High Level Design
Jupiter High Level Design

Project Resources

Source Code

Project Leader

Matt Stanchek

Classifications

Project Type Files TOOL.jpg
Incubator Project Owasp-builders-small.png
Owasp-defenders-small.png
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Jupiter&oldid=249231"