Roudra - Security Automation Framework
I described challenges and metrics for tracking security quality of software in Securing Software - Part 2. Product development / deployment teams struggle with security assurance verification due to the number of components, dependencies and features of the software products. Automation of the security assurance activities is clearly desirable. And there are plenty of stand-alone tools which automate some parts of the assurance tasks, both open source as well as proprietary. However, the variety of reports, formats, nomenclature, details and false positives makes using these tools cumbersome. Moreover, these tools don't have good interfaces to be chained together for effective integration. We, at cyberSecurist Technologies, are attempting to solve some of these challenges. The result is the Roudra – Security Automation Framework (Roudra-SAF). You can obtain a demo copy of the tool-chain by sending an e-mail to contact@cyberSecurist.com .
Origin
The Security Automation Framework (SAF) was developed as an open source tool idea as a prototype and presented at the AppSec USA 2015. We are contributing to strengthen it with new features, more tool integration and bug fixes. After intensive work and fixes, we are now ready to support the improved tool chain as Roudra-SAF.
We believe Roudra-SAF can be useful in at least three ways.
● To run a baseline set of tools repeatedly and consistently, to obtain snapshot as well as trending data of security assurance.
● To generate evidence of conformity to a set of security requirements, mapped to running a set of tools and corresponding reports. This evidence can be used as as a verification for self-reported software security status, or presented to auditors or approving authority to obtain permission to release a product.
● To deploy specific tools in a production environment and obtain logs and events for off-line processing and alerts.
At present the tool has integration with Nmap, heartbleed detection and sqlmap tools, for the purpose of a demo.
Implementation
Roudra-SAF is based on Node.js request-response framework, consisting of a Control Server (orchestrator), any number of tool launcher clients, and a User Interface (UI) web component. An administrator connects to Roudra-SAF through a browser connecting to the UI. From UI the administrator performs all the tasks – e.g. upload a tool to the server, push it to a client, run a scan using the tool, download the report of a scan.
All the components of Roudra-SAF interact through REST APIs. We plan to publish the Control Server REST APIs, so you can create your custom UI with different tasks and data flows to suit your needs.
Future work
Next items on our priority list of integration are the crypto review tools, weakness detection tools for server configurations, the network traffic analysis tools, data access pattern analysis tools, and IDS/IPS/UTM/deep inspection firewall data aggregation tools all of which can assist in creating a baseline security assessment of your software deployment. We are also developing reporting features to track some of the metrics mentioned in Securing Software - Part 2. Integration of security Code review and security verification/pen-testing tools can also be done on priority if users ask for it.
Roudra-SAF is free to download and use. It is being supported by cyberSecurist Technologies for any issues you may face.
Interested to try it out? Just e-mail to contact@cybersecurist.com, and we will send off a zip file containing description document and a couple of shell scripts to run and set up the demo. At present this demo is tested to run well on Debian/Ubuntu and Debian/Kali Linux.
Any special request for integration of your favorite tool? Comment? Question? Ask here or by email to contact@cyberSecurist.com.