Hackers of India

Jackhammer: One Security Vulnerability Assessment/Management Tool

By  Madhusudhan Konda   Rajagopal Vr   Shreyas Chidambara  on 09 Aug 2018 @ Blackhat : Arsenal

This Tool Demo covers following tools where the speaker has contributed or authored
JACKHAMMER

Abstract

Jackhammer is an integrated tool suite which comes with out-of-the-box industry standard integrations. It is a first of its kind tool that combines static analysis, dynamic web app analysis, mobile security, API security, network security, CMS security, AWS/Azure security tools, docker/container security, and vulnerability manager that gives a complete glimpse into security posture of the organization. Using this suite, even senior leadership can have a comprehensive view of their organization’s security.

Why was it needed? Security, while being imperative for any organization, it is hard to comprehend by most of the developers. Security engineers need to scrutinize every service or app turning security analysis a time intensive and repetitive. What if there exists a tool that can empower everyone to test their code for vulnerabilities, automate security analysis, and show the overall security hygiene of the company?

How does it work? Jackhammer intiates various types of scans using existing proven tools and the results are consumed by onboard vulnerability manager. Unique dashboard presents intuitive interface giving the user a holistic view of the code base. The normalized reports are instantly accessible to Developers, QAs, TPMs, and security personnel.

It can be plugged/integrated with: CI systems and Git via hooks giving complete control over code commits AWS/Azure account and can keep on scanning complete IP space in realtime Additional commercial/open source tools within few minutes and manage those tools from jackhammer Ticketing systems (like Jira) slack/pagerduty for real time alerting in addition to SMS and emails

It creates a sandbox using dockers for every tool and scales the systems when the scan needs it and descale on completion of the scans. The spin-up and tear down is a completely automated process so no person needs to look at the resources making it inexpensive and cost-effective.