1. Background
The internal beta version of Dragonfly was launched on the eve of May 1st, and many tools were accumulated quickly, and the number of users gradually increased, but I also gradually found that this kind of stacked platform does not have much technical content; I was wondering if I could do something useful The challenge is that low-code platforms have been quite popular in recent years. I was wondering if I could build a low-code platform in a security scenario.
1.1 Starting point of demand
In the security industry, we can think of two types of groups, developer bigwigs, and script kiddies;
Developers have strong abilities and can write powerful tools, but the energy of a person or a team is limited after all, and the functions are relatively single, so it is difficult to make comprehensive tools like AWVS; each team
develops The tools are easy to use in one aspect, but it is difficult to achieve all aspects, and will not consider too many external interfaces for integrating upstream and downstream;
The main energy of the script is to use tools to scan for vulnerabilities. They will collect various types of tools, but for a red team or SRC digging scenario, it is basically impossible for a tool to meet your needs;
So today I had a whim, can I build a platform to connect various tools, so that the various tools will not be scattered, and encapsulate the tools developed by the master into an interface, so that the data streams of these tools can be connected together, and Fit as much as possible for each individual scenario.
1.2 Dragonfly and Soar
We can see many security-related soar platforms on the market. The focus of the soar platform is orchestration, and Dragonfly is also orchestration, and the direction is the same;
However, there is also a difference between Dragonfly and Soar, in that the components of Dragonfly support running on the user's machine, while the conventional soar platform application scenarios are mostly run on the cloud platform, and the supported scenarios are basically operation and maintenance and operation scenarios;
Why does Dragonfly support heavy scanning? It is related to the architecture mode of Dragonfly. The conventional soar platform is basically a saas platform, and Dragonfly needs to add working nodes in addition to saas;
Dragonfly's SaaS platform is only used for application orchestration and console, and the node is the place where the task is actually executed, so there is no need to consider many problems such as large-scale user performance cannot keep up, execution nodes and not being in the user's network space.
2. What is the significance of a low-code platform?
2.1 Create your own workflow
Scenario 1: Vulnerability detection
Obtain a batch of URLs from the specified webpage (the content returned by each request is different), detect whether there are SQL injection vulnerabilities in the URLs, and notify the group of the detected vulnerability information on DingTalk.
For engineers with development experience, this process is relatively simple. It is nothing more than writing a script, continuously requesting the address to obtain the URL, then removing duplicate data, calling SQLmap for detection, and finally writing a DingTalk notification event;
However, it will take a lot of time to implement it, but if he knows that the Dragonfly Security Platform can be implemented in this way, he may not be able to help complaining.WC,还能这样实现!
[External link picture transfer failed, the source site may have an anti-theft link mechanism, it is recommended to save the picture and upload it directly (img-md4g4S10-1655965620071)(http://oss.songboy.site/blog/20220622205818.png)]
As you can see in the above figure, you only need to drag a few component buttons and fill in the necessary parameters; the process of this figure is first 获取URL内容-> 对数据做过滤-> 扫描器扫描-> 钉钉通知;
It may not take more than five minutes before and after, and the requirements can be completed. And you will find that in this picture, you don't need much code, but you can create a security tool that suits you;
Scenario 2: Information Notification
Fetches security intelligence information from a web page daily and 反序列化sends the information contained in the information to your server.
Then the orchestration process can look like this, as shown in the following figure
You need to provide vulnerability intelligence URL, a small amount of screening data Python脚本, and the address of your server URL. From the picture, it is inconvenient for ordinary users to write Python scripts;
But don't worry too much, we will directly package the popular data filtering scripts into components, so that users can directly drag the components, then only need to fill in the intelligence URL and server URL to achieve.
Scenario 3: Code batch scanning
Given a batch of Git code warehouse addresses, you need to conduct security analysis on the code and push the results to the specified address
You can build a flowchart like this
First use 读取文件内容the component to read the warehouse address list, use 运行Python脚本the component to pull the code to the local, then use 墨菲代码扫描the component to scan, and finally use webhookthe component to notify the result
In fact, I will encapsulate the Python script inside this into a component later, so you will find that you don't need to write code, and you can easily build a business scenario.
2.2 Focus on building the scene
With the help of low-code platforms, another hope is to help developers stand on the shoulders of giants, quickly realize their own needs, and avoid reinventing the wheel;
3. Difficulties in platform development
Dragonfly low-code platform development will encounter some difficulties that are different from conventional application development, such as communication problems between process nodes, data transmission between nodes, and data transmission;
3.1 Communication between components
In the dragonfly low-code platform, it is hoped that the component nodes are isolated from each other and they can communicate; the isolation is to allow each component node to be arranged more freely, and the communication requirement is that node B needs to be executed on node A only after
The requirements are somewhat contradictory, but they must be done, so I made a public component during the design, all components can communicate with the public component to inform the current execution status, and then the public component schedules the next component execution state.
3.2 Data Sharing
The data of each node of Dragonfly is independent of each other, but in some scenarios, data needs to be shared, such as in the code audit scenario, node A is responsible for pulling the code to the local, and node B is responsible for scanning the code;
These files need to be stored in the file system. Dragonfly’s nodes are actually based on docker containers. Therefore, Dragonfly’s solution is to mount a certain directory on the host to all containers, and the data is stored in the specified directory of the container.
3.3 Debug link length
In the development stage, we need to unit test each component. After debugging, we need to carry out joint debugging between components. Because the environment between components is isolated, the debugging process is very cumbersome.
For example, we have a scene that uses four nodes A, B, C, and D. When the running results do not meet expectations, you may locate which node is abnormal at once, but the abnormality is probably not this node. It is caused by itself, but by the upstream node data itself;
The components of the platform may come from other members of the team or from the community. You may not be able to solve it alone, which will greatly consume development time;
It should be noted here that the unit test of each component must be verified repeatedly, and the parameters should be strictly verified when receiving parameters, otherwise this problem is extremely easy to occur.
4. Development history
The most important thing about a low-code platform is to make it easy for users to understand and get started quickly, otherwise the value of a low-code platform is almost non-existent.
In order to allow ordinary users to get started quickly, the front-end interactive experience is particularly important. In order to allow users to understand the data transfer process, low-code platforms usually use flowcharts to display data transfers. The flowchart component of Dragonfly Security Platform is selected from antv Xflow
xflow is developed in typescript language, and react is also used. Before that, my front-end skills were mainly implemented with bootstrap and jQuery. The span of the front-end technology stack is the biggest technical risk point for me.
It took a week to finish the basic teaching of typescript and react. In the second week, I tried to write a todolist with react independently, and then tried to write an order evaluation function, and then gradually built a shelf for the back-end data management function, and then returned to Looking back at Xflow, you can basically understand what to do.
Five, finally
Dragonfly's low-code platform is still in its infancy, and its functional components are not comprehensive enough. With the passage of time and our rapid development, the components will become more comprehensive, and one day it will cover your usage scenarios.
Dragonfly Security Platform Address: http://qingting.starcross.cn/
Dragonfly GitHub warehouse address: https://github.com/StarCrossPortal/QingTing
Date: June 23, 2022
WeChat: songboy8888
Author: Tang Qingsong