• Stars
    star
    2,643
  • Rank 17,307 (Top 0.4 %)
  • Language
    Ruby
  • License
    Apache License 2.0
  • Created over 10 years ago
  • Updated almost 5 years ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Web framework that allows performing periodic syncs of data sources and performing analysis on the identified results

----DEPRECATED/LOOKING FOR MAINTAINERS----

August 20th, 2018

We're starting to change directions with our security automation approach and are actively looking for a maintainer for the Scumblr project. We're going to leave Scumblr code online but are not planning on adding any new features or addressing open issues and pull requests. If you are interested in maintaining this project, please reach out to me ([email protected]).

-Scott

Scumblr

Scumblr

Join the chat at https://gitter.im/Netflix/Scumblr

What is Scumblr 2?

Scumblr is a web application that allows performing periodic syncs of data sources (such as Github repositories and URLs) and performing analysis (such as static analysis, dynamic checks, and metadata collection) on the identified results. Scumblr helps you streamline proactive security through an intelligent automation framework to help you identify, track, and resolve security issues faster.

Scumblr ships with a number of tasks to help you streamline security automation including:

Sync Tasks

  • Github - Sync results from github Repositories
  • Route53 DNS - Sync FQDNs from Route53 DNS
  • Manual Result Upload - Specify a new line delimited list of results you'd like to sync into Scumblr

Security Tasks

  • Github Search - Search Github for secrets, anti-patterns, and vulnerabilities in your repositories
  • Curl - Execute curl commands to identify vulnerabilities or issues against Scumblr results
  • Bandit - Perform static code analysis against Python projects
  • Brakeman - Perform static code analysis against Ruby on Rails projects.

Search Tasks (legacy)

  • Google
  • Facebook
  • Twitter
  • iTunes Store
  • Certificate Transparency
  • Ebay
  • Google Play
  • Reddit
  • RSS Feeds (useful for full disclosure searches)
  • YouTube

Scumblr also provides a number of novel features that streamline security automation including:

  • Tracking, ticketing, regression monitoring, and auto-remediation of security vulnerabilities
  • Metadata storage in results to allow for advanced result filtering
  • Customizable views and sorting of results and tasks to get you to the important details faster
  • Saveable result filters that can be shared with colleagues
  • Event model for auditing changes to results so you can keep an eye on what is happening
  • Email subscriptions for specific results or tasks you care about (such as monitoring when a security task finds a new vulnerability)
  • Advanced asynchronous task scheduling to allow for task chaining and task batching

Scumblr uses the Workflowable gem to allow setting up flexible workflows for different types of results.

How do I use Scumblr?

Scumblr is a web application based on Ruby on Rails. In order to get started, you'll need to setup / deploy a Scumblr environment and configure it to search and analyze the things you care about. Setup information is described in great detail on the Wiki.

You'll optionally want to setup and configure workflows so that you can track the status of identified results through your triage process.

What can Scumblr look for and analyze?

Just about anything! Scumblr searches utilize plugins called Tasks. Each Task knows how to perform a search or sync via a certain site or API (Github, Route53, Google, Pastebin, Twitter, etc.). Tasks can be configured from within Scumblr based on the options available by the Task. What are some things you might want to look for or analyze? How about:

  • Your organization's public or private github repositories
  • When new FQDNS are created in your organization's DNS
  • Detection of anti-patterns in source code
  • Dynamic checks against running web servers for security issues
  • Static code analysis across a large number of repositories using Brakeman or Bandit
  • Get an alert on full disclosure security reports on vulnerabilities in your team's version of Apache

These are just a few examples of things that you may want to keep an eye on!

Scumblr found stuff, now what?

Scumblr provides a handy vulnerability object you can use to monitor a particular result security issues. You can also create Status fields to associate with results, allowing you to track the state of a result or it's remediation over time.

You can create simple or complex workflows to be used along with your results. This can be as simple as marking results as "Reviewed" once they've been looked at, or much more complex involving multiple steps with automated actions occurring during the process.

Sounds great! How do I get started?

Take a look at the wiki for detailed instructions on setup, configuration, and use!

Release History

Version 2.1 - "Reliablity, Useability and Performace Edition" - September 26th, 2017

Significant changes include: -Major performance improvements to async tasks -Ability to utilize an external redis instance -Ability to route tasks to specific queues -Ability to schedule individual tasks separately within the application -Added concept of 'on-demand' and 'callback' tasks -Improved vulnerability handling -Bug fixes -Improved test coverage and integration with TravisCI

Version 2.0.2 - "XSS fix" - November 30th, 2016

This fixes a XSS issue on the main Tasks page reported by Michael Carlson. The XSS vulnerability is only exploitable by administrator users of the application.

Version 2.0.1a - "System Metadata" - November 15th, 2016

This is a minor release that adds some new functioanlity:

  • Creation of a system metadata model. System metadata allows you to store collections of data to share across tasks.
  • Extended curl security task and github security task to support system metadata.

Version 2.0.1 - "O'Reilly Security Edition" - November 2nd, 2016

This is a minor release that addresses a few bugs and adds some new features. Note: if upgrading from 2.0 make sure to run bundle install and restart your server.

  • Releasing curl 2 security task added which includes a number of new features:

    Response Metadata: New option to allow you to arbitrarily define metadata to collect from http responses (think CSP policies, Server headers)

    Option: Negative searching

    Option: Strip path off of result (useful for sitemaps that may have trailing images, etc.)

  • Abstract view for response metadata with filtering and pagination

  • Result and task trends added with customized views

  • A number of bug fixes in views

  • Fixed an issue with curl security task and thread safety

  • Updated stylesheets for better views on small screens

Version 2.0 - "Dirty Laundry" - October 12th, 2016

This is a major release that addresses a number of bugs and adds many new features

  • Refactored to be a more generic system for tracking assets and running security checks
  • New task types have been created: Security Tasks, Sync Tasks, Maintenance Tasks
  • New integrations for a better understanding of your environment including Github code searching, static analyzers, and dynamic checks
  • New features for tracking results, searching and sorting
  • New Event model for security relevant changes, error tracking, and audit purposes
  • Metadata storage in results to allow for advanced result filtering
  • Customizable views
  • Tracking, ticketing, regression monitoring, and auto-remediation of security vulnerabilities
  • Numerous bug fixes

Version 1.0 - "Initial Release" - August 21st, 2014

Contributing

Pull requests welcome! See the Contributing doc for details.

More Repositories

1

stethoscope

Personalized, user-focused recommendations for employee information security.
Python
2,002
star
2

sleepy-puppy

Sleepy Puppy XSS Payload Management Framework
JavaScript
1,029
star
3

sketchy

A task based API for taking screenshots and scraping text from websites.
JavaScript
996
star
4

diffy

â›” (DEPRECATED) Diffy is a triage tool used during cloud-centric security incidents, to help digital forensics and incident response (DFIR) teams quickly identify suspicious hosts on which to focus their response.
Python
632
star
5

riskquant

Python
609
star
6

aardvark

Aardvark is a multi-account AWS IAM Access Advisor API
Python
470
star
7

stethoscope-app

A desktop application that checks security-related settings and makes recommendations for improvements without requiring central device management or automated reporting.
JavaScript
457
star
8

policyuniverse

Parse and Process AWS IAM Policies, Statements, ARNs, and wildcards.
Python
421
star
9

zerotodocker

Dockerfiles to be used to create Dockerhub trusted builds of NetflixOSS
Python
407
star
10

rewrite

Distributed code search and refactoring for Java
Java
291
star
11

gcviz

Garbage Collector Visualization Tool/Framework
Python
266
star
12

repulsive-grizzly

Application Layer DoS Testing Framework
Python
244
star
13

hystrix-dashboard

JavaScript
233
star
14

jvmquake

A JVMTI agent that attaches to your JVM and kills it when things go sideways
Python
154
star
15

zerotocloud

Scripts and instructions for Zero To Cloud With NetflixOSS
Groovy
147
star
16

bpftoolkit

Shell
128
star
17

aws-credential-compromise-detection

Example detection of compromise credentials in AWS
Python
118
star
18

WSPerfLab

Project for testing web-service implementations.
Java
116
star
19

UnrealValidationFramework

C++
111
star
20

cloudy-kraken

AWS Red Team Orchestration Framework
Python
102
star
21

historical

A serverless, event-driven AWS configuration collection service with configuration versioning.
Python
93
star
22

jenkins-cli

Simple Jenkins Command Line Interface
Perl
91
star
23

swag-client

Cloud multi-account metadata management tool.
Python
87
star
24

cloudtrail-anomaly

Python
82
star
25

cloudaux

Cloud Auxiliary is a python wrapper and orchestration module for interacting with cloud providers
Python
76
star
26

aws-metadata-proxy

AWS Metadata Proxy for protection against SSRF
Go
69
star
27

service-capacity-modeling

Python
61
star
28

titus-isolate

Python
55
star
29

skunky

Marking instances dirty since 2018
Python
47
star
30

raven-python-lambda

Sentry/Raven SDK Integration For AWS Lambda (python) and Serverless
Python
47
star
31

dynaslave-plugin

Jenkins DynaSlave plugin
Java
46
star
32

s3-flash-bootloader

A tool for flashing OS images onto stateful servers
Shell
45
star
33

rl_for_budget_constrained_recs

Jupyter Notebook
41
star
34

logstash-configs

Logstash Configs used by Netflix
31
star
35

spectatord

A high performance metrics daemon
C++
25
star
36

framerate-utils

Useful conversion utilities for working with video frame rate and display
TypeScript
17
star
37

qiro

The Qiro Project
Java
17
star
38

listening-test-app

C++
16
star
39

iep-apps

Example apps using Netflix Insight libraries from the Spectator, Atlas, and IEP projects.
Scala
15
star
40

zerotocloud-gradle

Gradle Plugin to Initialize the Cloud Environment and Utilize it for Continuous Delivery Purposes
Groovy
15
star
41

stethoscope-examples

Example Express application for collecting data from the Stethoscope app
HTML
14
star
42

bucketsnake

An AWS lambda function that grantsss S3 permissionsss at ssscale.
Python
14
star
43

causaltransportr

R package to generalize and transport causal effects.
R
12
star
44

Numerus

Counters, Percentiles, etc for in-memory metrics capture.
Java
12
star
45

mesos-on-pi

Shell
12
star
46

nfflink-connector-iceberg

Java
11
star
47

swag-api

REST API and UI for SWAG data
Python
10
star
48

repokid-extras

Python
10
star
49

raven-sqs-proxy

A Raven/Sentry SQS message proxy forwarder
Python
10
star
50

atlas-node-client

C++
10
star
51

post2crucible

Crucible code review uploader client
Java
8
star
52

StethoscopeMobile

JavaScript
8
star
53

netflixoss-dsl-seed

DSL Scripts to create build jobs for @NetflixOSS projects
Groovy
7
star
54

grails-jade

Grails plugin for rendering Jade templates with the spring-jade4j library
Groovy
6
star
55

spectator-js-nodejsmetrics

Generate node.js internal metrics using the nflx-spectator node module
JavaScript
6
star
56

historical-reports

Lambda functions to generate report artifacts from Historical
Python
6
star
57

cligraphy

Python
5
star
58

atlas-system-agent

Agent that reports system metrics through SpectatorD.
C++
5
star
59

node-pagerduty-netflix

pagerduty REST API interface in node.js
JavaScript
5
star
60

swag-functions

Lambda functions for SWAG management
Python
4
star
61

ng-nflx

Miscellaneous utilities for AngularJS
JavaScript
4
star
62

grails-context-param

Grails plugin to automatically add parameters specified as @ContextParam on a controller to redirect calls.
Groovy
4
star
63

hive2iceberg-migration

Scala
3
star
64

ec2blockdevcfg

Tools and configuration for Amazon EC2 NVMe block devices
Python
2
star
65

kmd

JavaScript
2
star
66

atlas-native-client

C++
2
star
67

qiro-logo

Code for generating the qiro logo
Java
2
star
68

corepipe

Rust
2
star
69

flagpole

Flag arg parser to build out a dictionary with optional keys.
Python
1
star
70

scumblr-spillguard

Python
1
star
71

adversarial_approach_to_recommender_systems

Python
1
star