sechub: one central and easy way to use different security tools with one API/Client

by ddos ·

sechub

It enables the operation and integration of various security tools with one central API in a development environment.

SecHub server orchestrates different security tools by one API layer. Users call SecHub Server but not security tools directly, so projects/build pipelines do not need to implement different plugins etc. but just one single API. Also, no plugin is necessary: SecHub client – written in go – is able to scan synchronous and break a build pipeline when necessary. The client can be easily integrated into every build system!

 

SecHub

Overview

What can be done with SecHub?

  • easily integrate security tools
  • centralize your security infrastructure
  • switch between or combine different tools
  • mitigate affects to your projects
  • by just one single JSON file

How does it work?

User perspective
  1. Inside a JSON file, security setup is defined (e.g. code scan, infra scan, web scan,…​)
  2. REST API or small native client (which is more convenient) is used to create a SecHub job
  3. SecHub Job execution can be done
    • synchronous (break build on problems) or
    • asynchronous (does not break build)
  4. Overview reports with listed vulnerabilities can be downloaded in JSON or HTML output format.
  5. Exact details are still provided by tools but can be easily accessed by SecHub reports with included links
Server perspective
  1. A server manages different SecHub Jobs
  2. A job belongs to a SecHub project
  3. A job can only be triggered by a user being a member of a project
  4. A project has a whitelist of URLs/IPs – so accidentally scanning of other IPs/URLs is not possible…​
  5. Depending on the JSON configuration different product executors are started
  6. The product executor communicates with a security product by a dedicated product adapter.
  7. The product results are collected by SERECO (SecHub report collector)

What do you still need?

  • An existing security infrastructure that can be managed by SecHub! It gives you a central point for your build pipeline, your delivery chain, etc. It helps to integrate, but it does not contain any security tools itself.

Which security tools are currently supported?

  • Checkmarx
  • Netsparker
  • Nessus (but unfortunately REST API has changed/terminated in the new version)

Install && Use

Tags: SecHub