 Hi everyone, my name is Gilmar Esteves and my partner is Filipe Pires, now we make the presentation about the RSEC, Brazilian SAS capital world. I'm a VP of security engineering, but also as a innovation, but also I'm a technical holy history in my whole life. I'm not a bushess vice president and me and Filipe Pires are advocates of the open source project RSEC. Yes, thank you, Gilmar, so my name is Filipe Pires, I'm a security research at Sapor, Sapor is a company from Switzerland, it's a top company and I'm responsible for creating different attack modules for this specifically organization and I'm advocate not only RSEC but many different open source projects because I really believe that and I like that and RSEC is an awesome project, it started in Brazil by the way and we would like to present to you more about this project and would like to invite you to collaborate with us. Yes, actually we love the open source project because the open source help the community and help to improve the growth, the cyber security mindset in a small company. We know that a lot of small companies don't have a budget for cyber security and the open source, it's a way to improve and grow for your cyber security environment. About the RSEC, RSEC it's a source code analysis tool and now also know as a static application security testing tools and helping the source code or completely version to offer the code to help find the security flaws. The RSEC can be added into your IDE such tools and can help detect the issues during the software development such tools feedback can save time to effort especially we compare it to find vulnerability later in the development cycle. Normally we use the RSEC before the code production in the pipeline in the IDE. The string features or the string part about the source it scales well. It's possible to run a lot of PODs and make a lot of analysis in different language before the production. It's not a complete code, normally it's a raw code and it's possible to identify the buffers overflow, SQL injection and normally the ciphers, some hard codes of a password and login. Normally the output helps developers to understand the high lights, the problematic codes by filename, location, line number affect the code. Difficult to automate search for many types of security vulnerabilities. The SaaS code needs a lot of coders under the project to build new forms or a new code to identify the new vulnerabilities or a new form of vulnerabilities. For example, authentication problems or business problems is so hard to identify insecure use of cryptograph because we know but the team developed a different cryptograph model for example, noise control or noise framework is so difficult to understand the cryptograph and help the developer make better codes. Normally SaaS tools are limited. It's only static, not dynamic, not run time, but in the future I believe the Oros grow for a dynamic analysis way. Oros was born of a need to run a SaaS in more modern language, normally the big players in the market running in the established language and a new language is not possible to make the SaaS analysis three years ago when we started the Orosack project. We managed to create a product for the community and today support the open source solution and I'm a sponsor, official sponsor of the Orosack. Some features about the Orosack is very important, analyze simultaneous 18 languages with 20 different security tools to increase accrues, search for the historical get by secrets and other contents posted and clarify that. Your analysis can be fully configurable with a CLI, a web manager or pipeline and now Philippe make a presentation on life coding with us. Thank you Goma. Thank you. So let me share my screen here and one second please everyone. So I will share my screen here to explain in more technically. So what about this Orosack? So I think you can see my screen here. So here is the web page from Orosack.co, this is a website and basically I have here my GitHub, Philippe is 86. You have a specific repository here below called Orosack-demo. So I'm using this, basically this folder in this demonstration here. So you can find me here if you'd like to test yourself. So let's return here to the main page. So here you can see more information you have here the GitHub from Orosack and here the documentations and not only that but here you have the forum. So basically it's the place that you can find in the community and the Orosack team answer for your question, your doubts. And just click here in documentation and we can see here in another tab and I will share here how you can install, it's very simple like this. So I click here in CLI and after that installation and we have three ways or actually not three but four ways to install locally, manually, installing by Docker and using pipeline as you might mention right. So we don't have a time to explain all those details but I will try to explain here on a simple way using for example by curl using here in my virtual machine. So I have here a simple folders as I mentioned with you in the beginning. So specifically folder that I have here some codes vulnerable. So basically I will pass here this specifically line of code and I will using curl to call this binary and set here the batch to install the latest version. Okay, so I click here and enter here and after that you see the installation of the latest version and after that I will download the binary. I need to set here the password because I don't have a privilege to users. Important for the security stuff by the way. The last version as you can see here and we have installed the binary not only that but we moved to the specifically local binary place. Okay, so I can check here for a sec. Philip? Yeah. Let's clarify this part because we explain a local installation. Local installation is not remote, not web or Docker. We use the back and Linux common with a local installation. Yeah, you can use it here not exactly good. You can use it Mac or Linux. You can download using locally by Windows and you have here other version to use it manually. So not only in this way but you can see here other in other ways to install like a Docker image. So it's another possibility but if you can see here we can call Docker and you can install yourself in your Docker in your container environment actually. Okay, it's a different way. So I installed basically locally in my virtual machine because of that I download these different folders as you can see here to test. So I install here or sec and after that I can set some comments. So basically if I don't know how I can use in here I can set help to understand how whatever tools work. But basically you can see here some specifically for explanation. In the beginning one is exactly our sec and the flags that you can use and comments. So basically we haven't specifically comments to use like a completion, generate, help, start and version. So version is basically the version to generate to see specifically configurations. Completion is specifically scripted to see specifically configurations of the shell and they start to execute itself the or sec. So basically our sec start is the command to execute and after that you can use in different flags. So let me put in here dash eight or dash dash help. It's the same to see difference common. So just a simple command to explain like for example, dash H to help and other interesting command is dash O for example. Because if you are thinking about SonarQube for example it's another project to looking for a quality quality tools. But they haven't specifically configurations about security but our sec is created by the security team. In this case the achievement is for more a different program language and not only that but can use in both tools together because of that you can set here the dash O to set up this specifically output format to analyze and to send those information directly to the SonarQube it's very interesting to use. Not only that but you can set for example dash eight dash E for example if you do like to use in for a pipeline. Okay, so to see specifically if your code is vulnerable. So if you receive this specifically, return it to the code for example if the or sec finds some vulnerability. So you receive this code one and you need to set this dash eight, okay? So nice, so let me execute our sec itself here in my local machine. I could put in for example, dash P is a path if you'd like to set in a specifically repository on a specifically project but in this case I will run in this specific repository as you can see here. This is the path that I will execute our sec. So can I proceed and yes, and that's it, okay? Click enter and that's it. I will start scanning code. Another possibility to using our sec during this scan here, I will show you is to using on C a lot and on IDE or yes code has you mentioned it. So let me go to the root here. My folder on or and or I think it's demo, demo and our sec. Yeah, I will show here is code. I will open here my PS code to you and let's see here, okay? So another possibility is to using our sec has an extension like a plugin, okay? So basically you go to here in next station, right? And you can put in here our sec simple like this. And if you see we have here the specific station to using here. So basically you need to install and that's it you can use in here like as you can see here, okay? Our sec it's here in my PS code. And after that I have here the same projects, the same folders. Just click in here and you can click in and start scanning. The same action that you do that I'm doing actually in the CLI here, as you can see, and I have returned here in the result. I will use a good here on ID on this code, okay? So we're starting here or sec started to analyze our code. So if you see here or sec is working now, okay? So let me return here just to explain you about the semi-specifically results about our sec. So if you see here, many results about this vulnerable codes and different projects that I have here. So if you see here, for example, let me explain two simple things. Basically this one of those line of codes vulnerable. For example, the language is JavaScript, severity is high. Take a look at this very interesting line and column that you can find the code. So if you're a developer, so it's very interesting because now you know where is the place that you can find the vulnerability. And here is very interesting for my perspective, because you have the security tools working to identify that. So as you can see here is our sec engine. Not only that, but you can, if you want, you can create this specifically engine. If you have a specifically program language, you can create a request, you can working for this specifically or sec engine. For my perspective, it's very, very interesting. So here it's another interesting point about the confidence, so how it's based on those three or four pillars of the cybersecurity information. And here is the file, exactly file, that we can find the vulnerability. In this case, if you see here, this is the main project. Remember that? So Home Thor demo and then our sec demo. This is the main project. And here you can see many folders that the tools analyzing all those codes you have inside of your project. And here, as you can see, the type is vulnerability. And not only that, but if you are a developer, if you don't know how the security works, you have here the information about specifically CWE. And it means the common weakness enumeration. So a specific number of the vulnerability related to specifically this flow or this vulnerability. So you can click here, basically copy or open the link in the web page, and you can read more about that. So if you return it here in our IDE, you can see here, you can find the similar result, actually not similar, but the same. So if you see here, so JavaScript, it's another vulnerability using Orsac Engine. And if you see here, here is the line vulnerable in this code. So if you're a developer again, you can manage it. You can improve that. You can make this update of your code. Not only that, but if you see here, take a look other interesting thing. So if you see here, it's the same case in a CLI, you can see here the GoSec. As you can see here, it's GoSec. So it's another engine. So because of that, it's a different framework. Exactly. Take a look at this. Not only Orsac Engine, but you have more than one engine inside of that. Because of that, it's so fantastic tools. Because you have many engines inside of the same platform, and you can see this information. Because of that, it's pretty, pretty cool. Nice. So basically, is this, yes, go, go, go. Please. In the beginning, we developed Orsac for a security tool. But during the journey, we discovered it's more important. And the other guys developed a lot of Engine. It's very important. And so beautiful Engines. And we create a composable software to plug and play a lot of Engines. And for example, GoSec, or the SonarQube, and another one. For example, now we develop anything about the cloud custodian for the cloud. Cloud is not branch, but cloud surface, detect and response the cloud surface. But it's more important that the Ors now, it's a manager of a lot of Engines, a lot of forms to identify in your, it was during your environment about the security flags. Exactly. Exactly. Good point, Camar, because that's the point. Because we have a different program language. And so we need to improve that. So you can help us to improve that about this specifically to create more engines from Orsac. And the last, but not important, not less important. So as you can see here, we have a possibility to work in a CI-CD pipeline. So if you work, for example, using GitHub Actions, for example. So if you see here, basically, let me share with you here. So you can specifically, you could set, for example, the security pipeline name using, you know, as a company specifically job and to run. Basically, they'll run automatically that you will set is the same command that I use in CLI, if you remember, calling the curl. And after that, executing Orsac, dash p is a path. Remember that about your project, okay? And after that, dash h, remember when I explain about this specifically flag. So you put here, in this case, true. So if your code is vulnerable, you create a specifically block gating or specifically gating to block, to analyze your code before to protein the production. So not only GitHub Actions, but you can use it, for example, AWS code build, circle CI, Jenkins, and Azure DevOps pipeline. And the web application has, you might explain in the beginning. So it's very interesting to manage it. For example, difference vulnerabilities and difference for different teams, for example. You have different teams, squads, streams, depending on the name you're, no matter the name that you use. But you can see, for example, for each developer, what kind of program language is more vulnerable, which projects more vulnerable, and you can manage it, for example. So you can set this in a different way. You can see here, for example, for total developers, repositories, and all vulnerabilities, program language, as I mentioned, it's very, very nice for managing vulnerabilities. In my opinion, the web is a perfect tool for the CTOs and CISOs, because we have a lot of information, and after this information, it's possible to start a better threat modeling and understand you need to make some training with your devs, or need change the language, change the version because it's possible we use the version and the version is compromised. It's very important to analyze the numbers, understand your case, and take the decision, the better decision. It's a tool for help, your team. Exactly, exactly, I completely agree. And the some consulting services that I've been working for the last years, and I'm using this specifically feature for managing all those things, to specifically to make up training to the developers. It's very useful, very, very useful. So basically, I think it's this. So again, so we have here at the GitHub, so if you want to go to GitHub, sets your pull requests, so we work a lot in this project, and for my side, that's it. So if you have any questions, you're mine and the people we are here to answer you. Thank you guys. Thank you for your time. Thank you for the presentation. Thank you, Philip, for the help and see you the next presentation. Bye-bye guys. See you, bye-bye.