ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
•Download as PPTX, PDF•
0 likes•236 views
ArcherySec is an opensource vulnerability assessment and management tool which helps developers and pentesters to perform scans and manage vulnerabilities. ArcherySec uses popular opensource tools to perform comprehensive scanning for web applications and networks. It also supports multiple continuous integrations and continuous delivery software. The developers could utilize this tool for the implementation of vulnerability management in the DevOps CI/CD environment. - Perform Web and Network Vulnerability Scanning using opensource tools. - Correlates and Collaborate all raw scans data, shows them in a consolidated manner. - Perform authenticated web scanning. - Vulnerability Management. - Enable REST API's for developers to perform scanning and Vulnerability Management. - JIRA Ticketing System. - Sub domain discovery and scanning. - Periodic scans. - Concurrent scans. - Integrate with CI/CD software.
Recommended
More Related Content
Similar to ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
Similar to ArcherySec 2.0 @ BlackHat Arsenal Europe 2020 (20)
Recently uploaded
Recently uploaded (20)
ArcherySec 2.0 @ BlackHat Arsenal Europe 2020
- 1. Information Classification: General #BHEU @BLACKHATEVENTS 47302
- 2. Information Classification: General ArcherySec 2.0 Anand Tiwari @anandtiwarics #BHEU @BLACKHATEVENTS
- 3. Information Classification: General #BHEU @BLACKHATEVENTS 47302 About Me • I’m Anand Tiwari • Senior Security Consultant @NotSoSecure • Working on DevSecOps, Cloud Security and Web Application Security • 7+ Years of Experience in Offensive Security • Closely working with Operation and Development Team • Presented and Delivered Talks, Workshop @ DevOpsDays Istanbul, Boston, HITB, DEF CON, BlackHat Conferences
- 4. Information Classification: General #BHEU @BLACKHATEVENTS 47302 What is ArcherySec tool ? • Open Source Vulnerability Assessment and Management Tool. • Correlates and Collaborate all raw scans data, show them in a consolidated manner. • Automate Vulnerability Scanners. • Vulnerability Data Dashboard. • Helping you on Managing & Prioritising Vulnerabilities. • Useful for Red & Blue Teams. • Easy to integrate in CI/CD environment. • Build with Django.
- 5. Information Classification: General #BHEU @BLACKHATEVENTS 47302 Why did I build this ? • Manually Perform Vulnerability Assessment from Multiple Sources • Patch and Vulnerability Management Using Excel Sheets • Lack of False Positive Removal • Manual Vulnerability Tracking System • Risk Management Matrix on Spreadsheets Source: Google Image Search
- 6. Information Classification: General #BHEU @BLACKHATEVENTS 47302 How Does ArcherySec Work ?
- 7. Information Classification: General #BHEU @BLACKHATEVENTS 47302 Features • Plug your vulnerability Scanners and Tool into ArcherySec. • Upload Vulnerabilities From Multiple Sources. • Mark False Positive Vulnerabilities. • Track Closed Vulnerability and Visualize on Dashboard. • Raise Jira Ticket for individual Vulnerability. • Manage your Pentest Vulnerabilities. • Integrate into your DevOps pipeline.
- 8. Information Classification: General #BHEU @BLACKHATEVENTS Installation Install From GitHub Project Linux/MacOS Windows
- 9. Information Classification: General #BHEU @BLACKHATEVENTS Installation Docker Installation
- 10. Information Classification: General #BHEU @BLACKHATEVENTS Installation Vagrant + Ansible Installation
- 11. Information Classification: General #BHEU @BLACKHATEVENTS Integrate ArcherySec in your DevSecOps Environment
- 12. Information Classification: General #BHEU @BLACKHATEVENTS ArcherySec CLI Tool
- 13. Information Classification: General #BHEU @BLACKHATEVENTS
- 14. Information Classification: General #BHEU @BLACKHATEVENTS Demo
- 15. Information Classification: General #BHEU @BLACKHATEVENTS Scanners Plugins • OWASP ZAP • Burp Scan • Arachni • Nmap • Nikto • Nmap • OpenVAS
- 16. Information Classification: General #BHEU @BLACKHATEVENTS Scanners Report Parsers ● OWASP ZAP (XML) ● Burp (XML) ● Arachni (XML) ● Netsparker (XML) ● Webinspect (XML) ● Acunetix (XML) ● OpenVAS (XML) ● Nessus (XML) ● Bandit (Json) ● Retirejs (Json) ● Dependency Check (XML) ● FindBugs (XML) ● Nodejsscan (JSON) ● Clair (JSON) ● Bandit (JSON) ● Trivy (JSON) ● GitLab SCA Scan (JSON) ● GitLab SAST Scan (JSON) ● GitLab Container Scan (JSON) ● Samgrep (JSON) ● Dockle (JSON) ● Whitesource (XML) ● npm_audit (JSON) More Scanners (https://github.com/archerysec/archerysec/issues/16)
- 17. Information Classification: General #BHEU @BLACKHATEVENTS How to Contribute ? • Test ArcherySec Tool • Write scanners plugin or suggest us scanner support. • Use / Promote / write about the tool. • Report issue & feedback @ https://github.com/archerysec/archerysec/issues
- 18. Information Classification: General #BHEU @BLACKHATEVENTS Documentation • https://github.com/archerysec/archerysec/ • http://archerysec.com • https://docs.archerysec.com/ • https://developers.archerysec.com/
- 19. Information Classification: General #BHEU @BLACKHATEVENTS Contact • Twitter - https://twitter.com/archerysec • Facebook - https://www.facebook.com/ArcherySec/ • GitHub - https://github.com/archerysec
- 20. Information Classification: General #BHEU @BLACKHATEVENTS
Editor's Notes
- Hi all my name is anand Tiwari and I an information security professional. I’m working with NotSoSecure Company as Senior sECURITY consultant. Currently I’m working on DevSecOps, Cloud security and web application security. I have more than 7 years of experience in offensive security I’m closely working with operation and development team to solve challenges between dev, operation and security team. I have presented and delivered talks and workshops at multiple conferences like devopsdays Istanbul Boston HITB DEF CON BlackHat
- So what is an archerysec tool. Archerysec is an opensource vulnerability assessment and manage tool which helps developers and pentesters to perform scans and manage vulnerabilities. Archery uses popular opensource tools to perform comprehensive scanning and correlates and collaborate all raw scans data in a consolidated manner. It visualize data on dashboard. It help to manage and priorities vulnerabilities. It is very useful for red and blue and security analysist. The developers can also utilize this tool for as Vulnerability management in their devops CI/CD pipeline. Its build with Django framework.
- So the question is why did I build this and why it is required? I remember in my previous organization I was doing vulnerability management for internal and external assets and it was a periodic activity that we perform every month. We were using multiple spreadsheets to manage, and track vulnerabilities found in our organization assets. We also run multiple vulnerability scanners for scanning network, web application, source code review, and compliance and collect all vulnerability data from multiple sources and put into one single excel sheet and generate matrix. You can imagine how it's a nightmare for me to do all this activity every month. The problem was with we can’t continuously track closed issues or patched systems using excel sheets. Also, every month you can track your false-positive vulnerability and remove them from current scans. You could imagine how it is difficult when you do every month. So, I come up with ideas and wrote tools to solve all these problems.
- This is how archerysec work. You can input vulnerability report from multiple scanner source and upload into archerysec or plug your tool into archerysec and perform vulnerability assessment and management by visualizing on Dashboard.
- ArcherySec has capability to integrate your vulnerability scanner tools into it and perform scans. You can also upload vulnerability reports from your scanners. Using archerysec you can mark and track your false positive and closed vulnerability and visualize them on Dashboard. Archerysec has nice feature where you can integrate your JIRA ticket and raise jira issues. You could also manage your pentest vulnerability ArcherySec has API and CLI capability that help you to integrate into you devops pipeline and manage vulnerability.
- So how to contribute… you can start with testing archerysec tool into your local system and raise issue into github. You can also write your own plugin or suggest us scanners. You could write about the tool or promote or use in your organization. If you have any feedback or want to report issue you use our gihub issues.