14 February 2023

Dracon, security tool integration with a couple of clicks

The modern software landscape is evolving ever faster. The number of companies that produce software shows a definite upward trend with a current US market size of 10% and predicted to reach 15% in the coming years. Furthermore, according to last year’s Verizon’s DBIR report, vulnerability exploitation and credential leak account for more than half of the breaches they encountered. To secure an increasingly complex and more often attacked software and infrastructure landscape, companies are using more and more security tools. As a result, security teams now spend more time managing alerts, deciphering and reconciling data between tools and close false positives.

However, this is different from what companies want out of their security engineers. According to Glassdoor, Security teams should:

  • Focus on discovering vulnerabilities
  • Prevent vulnerabilities from existing in the first place through a shift-left approach
  • Make existing vulnerabilities harder to exploit through defence in depth
  • Write custom tools and rules to find/exploit vulnerabilities

not:

  • Deal with duplicate results/alerts
  • Maintain vulnerability databases
  • Manually reconcile data from systems or tools
  • Create reporting metrics on vulnerability data
  • Drive data from their detection systems to their resolution/action systems

Essentially, we are not utilising the expertise of our security professionals effectively, by redirecting highly skilled and in-demand individuals, from high-level security roles to low-level ones that resemble data analysis positions instead of security engineering.

Furthermore, in a quest to cover any attack surface, companies are either introducing an alarmingly expansive number of tools that are not interoperable and create information silos or, even worse, buying an overpromising silver bullet solution from a single vendor that will supposedly cover almost any enterprise security need. Security teams want less tools and there is no single tool (yes even all-in-one magic vendor solutions) that can fit into what you want to do exactly, usually not even good enough. The only way to solve this is a combination of different solutions.

No single vendor solution can solve everything. A quick search in software reviewing and comparing websites will attest to that. Most companies end up using a combination of vendor solutions and open source tools. To achieve that they have to dedicate considerable resources both effort-wise and money towards creating their own workflows to consolidate, deduplicate and create actionable alerts.

But how do we:

  • Automate tooling as close to development as possible?
  • Easily integrate any type of automation into the existing solutions?
  • Achieve vulnerability data mastery without custom code?
  • Optimise team efforts by reducing false positives and duplicates?

The problem we are faced with is a data management and pipelining problem and it has been solved many times before for different industries. “How do you take data from many sources, combine and transform them in a flexible way and finally store or visualise them”?

In data science there are data reconciliation, pipelines and data lakes. In security we just recently started talking about data lakes and with the arrival of standardised data formats such as Sarif and CycloneDX we finally have the ability to merge data from different tools.

Our View

In Ocurity, we believe that we, as security engineering teams should have the freedom to select and combine any aspects of any tools we want. This is freedom to choose the best aspects of any open source or vendor solutions we need and change as needed whenever we want or even provide each engineering team with the tools that best support their culture, workflow and technologies.

In order to achieve this we created and are today open sourcing a new version of Dracon, a revolutionary tool for managing pipelines that run security tools in parallel against any code or infrastructure target. With Dracon, you can easily and effectively secure your code and infrastructure, ensuring that your systems are protected against vulnerabilities and threats. But Dracon isn’t just a security tool - it’s also a powerful platform for normalising and enriching results, with features like policy marking and duplicate identification. And with the ability to send results to a wide range of visualisation and vulnerability management platforms, Dracon makes it easy to stay on top of your security efforts. To our knowledge, Dracon is the only solution built for unifying security tools.

Our Use Case

One of our users, a medium sized enterprise with 20 development teams has set up Dracon with a github enterprise webhook to run Application Security Tests or Infrastructure Security Tests on every pull request and keep each project’s SBOM up to date (use-case blogpost coming soon). The tools differ per technology, team and repository but there are some enterprise wide ones from industry leading vendors.

Once each repository is scanned with a toolchain and rules relevant to the team, the results are enriched with policy information (from OPA), deduplicated and signed. They are then fed back to github as static analysis results, to the company’s vulnerability data-lake for metrics and vulnerabilities against the main branch are opened as Jira tickets for tracking. Moreover, each team gets notified about the number of actionable results via their slack channel when a scan has been finished.

Moreover, a Github action has been included in every repo that deploys to the e2e testing environment which runs zap-proxied e2e tests through Dracon with the results being directed to Github and Jira

Last, compliance checking is done using an OPA policy which notifies the team if any results affecting repositories tagged “Sensitive” have any critical findings.

The Results

This setup allows the security team to only manage tooling configuration while the development teams can easily gain low noise insight into their security posture. Moreover, with results and scanning information going into the team’s data lake along with the codification of major policies into the Open Policy Agent format, compliance evidence gathering is a minor task.

Dracon core,is open source. Ocurity offers an enterprise SaaS or self hosted version of Dracon as well as SDLC security services. If you would like to learn more about Dracon and our services, get in touch.

Lets talk!

Interested in DevSecOps?

Book a Demo!