Dragonfly low-code security tool platform development road

1. Background

The internal beta version of Dragonfly was launched on the eve of May 1st, and soon accumulated a lot of tools and the number of users gradually increased, but I also gradually found that this kind of accumulation platform does not have much technical content; The challenge is that low-code platforms have become more popular in recent years. I wonder if I can make a low-code platform in security scenarios.

1.1 The starting point of demand

In the security industry, we can think of two types of groups, developers, and script kiddies;

The developer has a strong ability and can write very powerful tools, but the energy of a person or a team is limited after all, and the functions are relatively single, so it is difficult to make a comprehensive tool similar to AWVS;
The tools developed by each team are easy to use in one aspect, but it is difficult to achieve all aspects, and they will not consider too many external interfaces for integrating upstream and downstream;

The main energy of scripts is to use tools to scan for vulnerabilities, they will collect various types of tools, but for a red team or SRC digging scenario, a tool is basically unlikely to meet your needs;

So this day, I had a whim, can I build a platform to connect various tools, so that various tools will not be scattered, encapsulate an interface for the tools developed by God, so that the data streams of these tools can be linked together, and As much as possible to suit everyone's situation.

1.2 Dragonfly and Soar

We can see many security-related soar platforms on the market. The focus of the soar platform is on orchestration, and Dragonfly is also orchestrated, and the direction is the same;

However, the difference between Dragonfly and Soar is that Dragonfly's components support running on the user's machine, while the conventional soar platform application scenarios are mostly cloud platform operation, and the supported scenarios are basically operation and maintenance and operation scenarios;

Why does Dragonfly support heavy scanning? It is related to the architecture mode of Dragonfly. The conventional soar platform is basically a saas platform, and Dragonfly needs to add work nodes in addition to saas;

Dragonfly's SaaS platform is only used for application orchestration and console. Nodes are the place where tasks are actually executed, so there is no need to consider many problems such as large user scale and performance, execution nodes and not in user network space.

2. What is the significance of a low-code platform?

2.1 Build your own workflow

Scenario 1: Vulnerability Detection

Obtain a batch of URLs from the specified webpage (return content is different for each request), detect whether the URL has SQL injection vulnerabilities, and notify Dingding of the detected vulnerability information to the group.

For engineers with development experience, this process is relatively simple. It is nothing more than writing a script, continuously requesting the address to obtain the URL, then removing duplicate data, calling SQLmap for detection, and finally writing a DingTalk notification event;

But it will take a lot of time to realize it, but if he knows that the Dragonfly security platform can be implemented in this way, he probably can't help but complain in his heart WC，还能这样实现！

As you can see in the above figure, you only need to drag a few component buttons and fill in the necessary parameters; the process of this figure is first 获取URL内容 -> 对数据做过滤 - > 扫描器扫描 -> 钉钉通知 ;

It may not take more than five minutes before and after, and the requirements can be completed. And you will find that in this figure, you don't need much code, but you can create a security tool that suits you;

Scenario 2: Intelligence Notification

Get security intelligence information from a web page every day and send information containing 反序列化 to your server.

Then the orchestration process can look like this, as shown in the following figure

You need to provide vulnerability information URL , a small amount of filtered data Python脚本 , your server's URL address, from the picture here is it inconvenient for ordinary users Need to write Python script;

But don't worry too much, we will directly encapsulate popular data filtering scripts into components, so that users can drag the components directly, then only need to fill in the intelligence URL and server URL to achieve.

Scenario 3: Batch Scanning of Codes

Give you a batch of Git code warehouse addresses, you need to perform security analysis on the code and push the results to the specified address

You can build a flowchart like this

First use the 读取文件内容 component to read the warehouse address list, use the 运行Python脚本 component to pull the code to the local, then use the 墨菲代码扫描 component to scan, and finally use webhook component will notify the result

The Python script in this, in fact, I will encapsulate it into a component later, so you will find that you don't need to write code, and you can easily build a business scenario.

2.2 Focus on building the scene

With the help of the low-code platform, there is another hope that it can help developers stand on the shoulders of giants, quickly realize their needs, and avoid repeatedly building wheels;

3. Difficulties in Platform Development

Dragonfly low-code platform development will encounter some difficulties that are different from conventional application development, such as communication problems of each process node, data transfer between nodes, and data transfer;

3.1 Communication between components

In the Dragonfly low-code platform, it is hoped that each component node is isolated from each other, and it is hoped that they can communicate; isolation is to allow each component node to be more freely arranged, and the communication requirement is that the B node needs to be executed at the A node. to be executed afterwards;

The requirements are somewhat contradictory, but they must be done, so I made a public component during the design, and all components can communicate with the public component to inform the current execution state, and then the public component schedules the next component. execution status.

3.2 Data Sharing

The data of each node of Dragonfly is independent of each other, but in some scenarios, data needs to be shared. For example, in the code audit scenario, node A is responsible for pulling the code to the local, and node B is responsible for scanning the code;

These files need to be stored in the file system. The operation of each node of Dragonfly is actually based on the docker container, so Dragonfly's solution is to mount a certain directory of the host into all containers, and the data is stored in the directory specified by the container.

3.3 Debug link length

In the development stage, we need to unit test each component. After debugging, we need to conduct joint debugging between components. Because the environment between components is isolated, the debugging process is very cumbersome.

For example, we have a scene that uses four nodes A, B, C, and D. When the running result does not meet expectations, you may immediately locate which node has an exception, but the exception is probably not this node. It is caused by itself, but caused by the upstream node data itself;

The components of the platform may come from other people in the team or from the community. You may not be able to solve it alone, which greatly consumes development time;

It should be noted here that the unit test of each component must be repeatedly verified, and it must be strictly verified when receiving parameters, otherwise this problem is extremely likely to occur.

4. Development process

The most important thing about a low-code platform is to make it easy for users to understand and get started quickly, otherwise the value of a low-code platform is almost nonexistent.

In order to allow ordinary users to get started quickly, the front-end interactive experience is particularly important. In order to allow users to understand the data transfer process, low-code platforms usually use flowcharts to show data flow. The flowchart component of Dragonfly Security Platform is selected from antv. Xflow

The typescript language used by xflow is developed, and react is also used. Before, my front-end skills were mainly implemented with bootstrap and jQuery. The span of the front-end technology stack is the biggest technical risk point for me.

It took a week to complete the basic teaching of typescript and react. In the second week, I tried to write a todolist with react independently, and then I tried to write an order evaluation function, and then gradually put the back-end data management function on a shelf, and then came back Looking back, Xflow can basically understand how to do it.

5. Finally

Dragonfly's low-code platform is still in its infancy, and its functional components are not comprehensive enough. With the passage of time and our rapid development, the components will definitely become more comprehensive, and one day it will cover your usage scenarios.

Dragonfly security platform address: http://qingting.starcross.cn/

Dragonfly GitHub repository address: https://github.com/StarCrossPortal/QingTing

Date: June 23, 2022

WeChat: songboy8888

Author: Tang Qingsong