Security/Automation

From MozillaWiki
Jump to: navigation, search

Security Automation is a transversal group at Mozilla that is interested in building security tools. Projects such as ZAP, Zest, Plug-and-hack, TLS and HTTP Observatories, MozDef, MIG and more are part of the security automation group. Members meet weekly to discuss their projects, share ideas, discuss the news showcase cool stuff.

Weekly meeting

The weekly Security Bytes meeting happens in the Vidyo room named "SecAutomation".

  • every odd week on tuesday at 1500UTC
  • every even week wednesday at 1700UTC

(use date +%U to know which week it is)

Guests are welcome, and can join the meeting using Guest access and the Vidyo client. The URL is https://v.mozilla.com/flex.html?roomdirect.html&key=JnK7KelYpMMu

The public etherpad is at http://pad.mocotoolsprod.net/p/Security_Bytes

Meeting notes

Projects

ZAP

ZAP, or more formally, the OWASP Zed Attack Proxy, is an easy to use integrated penetration testing tool for finding vulnerabilities in web applications.

It is designed to be used by people with a wide range of security experience and as such is ideal for developers and functional testers who are new to penetration testing.

ZAP provides automated scanners as well as a set of tools that allow you to find security vulnerabilities manually.

It supports Plug-n-Hack and Zest and is one of the tools supported by Minion.

Plug'n'Hack

Plug-n-Hack (PnH) is a proposed standard from the Mozilla security team for defining how security tools can interact with browsers in a more useful and usable way.

It makes configuring security tools to work with browsers much simpler and less error prone.

PnH also allows security tools to declare the functionality that they support which is suitable for invoking directly from the browser.

A browser that supports PnH can then allow the user to invoke such functionality without having to switch to and from the tool.

PnH is supported by Firefox and security tools like ZAP, Burp Suite and OWASP OWTF.

Minion

Minion is an open source Security Automation platform. The 0.3 release of Minion allows Development, QA, and Security team members to perform automated web security scans with a set of tools, and re-execute those scans as needed.

MIG

MIG is a platform that allows investigators to send actions to pools of agents. What the actions do depend on the modules available on the agent, the MIG platform tries to focus on providing a set of capabilities without getting too specific about actual actions.

For example: an investigator launches an action to search for an apache module that matches a given md5 value. MIG will register the action, find all the relevant targets and send messages to each target with the content of the action. Each agent then individually perform the action using the module locally, and send the result back to the MIG platform. The MIG platform monitors execution, and will rerun actions when necessary.

Agents are designed to be lightweight and secure. Modules are executed with minimum privileges, in sandboxes when possible.

MozDef

The Mozilla Defense Platform (MozDef) automates the incident handling process by facilitating the real-time activities of incident handlers.

Goals:

  • Automate interfaces to other systems like bunker, banhammer, mig
  • Provide metrics for security events and incidents
  • Facilitate real-time collaboration amongst incident handlers
  • Facilitate repeatable, predictable processes for incident handling

Zest

Zest is an experimental specialized scripting language intended to be used in web oriented security tools.

The language is written in JSON, but is designed to be a visual language. The core language does not define any graphical representation - that is expected to be defined by the tools that integrate Zest.

Zest is used in ZAP as a macro language but is tool independent.

ScanJS

ScanJS is a simple JS static analysis tool.

Escape Artist

Escape Artist is an attempt to fuzz XSS filters. Still under heavy development and far from any kind of release.