An Application Security program is more successful when coverage of its processes and tooling can be proven. Unfortunately, software inventory lists consist of some custom-written applications for an organization but also include systems and software that aren't in scope for a traditional AppSec program (Active Directory or Adobe Reader, for instance).
Making matters worse, organizations are constantly transforming the ways they operate. New software is being written and deployed every day:
Traditional ITAM solutions aren't tracking these custom-written applications that are the lifeblood of your organization because they aren't designed to find them.
If "who owns this?" or "did you know this was in production?" sounds familiar, you're not alone.
OWASP Jupiter - Application Inventory Management System
Existing DevOps processes already know what software is being built and when it is being deployed.
What if we leveraged those DevOps processes to gather crucial information about the organization’s software applications?
Having quality application inventory data enables:
High Level Design
First, the Inventory Antecessor Collector Service can gather primitive inventory data (antecessors) directly from DevOps tools, such as continuous integration servers like Jenkins via the Jupiter Inventory Plugin, when the software is built and deployed.
The Inventory Management Console connects to the collector service and facilitates enrichment of the antecessor data into “gold records” representing an application. These records are stored by the Curated Inventory Service via REST API or through the management console.