Smithy, the Open-Source SOAR You’d Actually Use
10-18, 15:00–15:50 (America/New_York), Track 2 (206a)
Language: English

Despite our collective efforts, we haven’t managed to harmonize security tools and processes. Several standards like NIST, ASVS, SAMM and others have attempted information harmony but few projects have attempted tool orchestration harmonization none in AppSec and for good reason, it is a hard problem to solve.

This session introduces Smithy, the only open-source workflow engine for security tools. Smithy stands as a unifying force for building robust, scalable DevSecOps, and beyond, pipelines. Leveraging Smithy’s support for OCSF-native data formats, we centralized the outputs of disparate security tools into a cohesive data lake, unlocking actionable insights that improved vulnerability prioritization and resource allocation.

The talk will showcase real-world applications, including integrating OpenCRE, Cartography, AI-driven solutions and open-source resources to enhance vulnerability detection accuracy and reprioritization, for free, using ready made community resources.

Whether you're a tech lead, security engineer, or CISO, this presentation offers practical guidance for creating adaptable, data-driven security workflows without breaking the bank.

Introduction, our toolchain what did we built, why it is open source and how.

*** OCSF, SARIF’s brother made by a comittee.**

  • Why OCSF is a footgun, the need for a VERY opinionated SDK on top of OCSF.
  • Why not SARIF
  • Meet smithy your OCSF sdk and workflow engine.
  • What can you do with it?

Scenario:

Meet Jimmy: The AppSec Lead with No Budget or Team

  • Jimmy just joined to lead AppSec, but there’s no team and no budget.
  • The mission: Build a robust AppSec program from scratch.
  • The solution? Leverage OWASP resources and Smithy for orchestration.

2. Step 1: Define a Strategy with OWASP SAMM

  • Why SAMM is a great starting point for a lightweight AppSec strategy.
  • Example: Map SAMM activities to workflows in Smithy for easy progress tracking.

3. Step 2: Implement Core Security Controls (ASVS)

  • ASVS: Your checklist for secure design and implementation.
  • Automate control verification using Smithy workflows to validate artifacts against ASVS.

4. Step 3: Gain Visibility

  • SCA (Software Composition Analysis): Automate SBOM generation and analysis.
  • Example: Integrate tools like CycloneDX or Syft and feed results into workflows for immediate insights.

5. Step 4: Manage Vulnerabilities Effectively

  • Centralize data with DefectDojo
  • Example workflow: Automate prioritization based on severity and asset criticality

6. Step 5: Build a Culture of Security Awareness

  • Training: Pull curated resources from OWASP (e.g., Juice Shop)
  • Example: Use a workflow to assign training modules based on team roles and track completion.

7. Step 6: Leverage OWASP Tools for Testing and Remediation

  • Threat Modeling: Automate initial threat model generation with STRIDE-GPT, Threat Dragon, or PyTM.
  • SAST and DAST: Use Smithy to programmatically integrate Semgrep, ZAP, and Nuclei for pull-request scanning.
  • Example workflow: Trigger scans on pull requests, comment findings with actionable advice, and prioritize fixes using AI-enhanced summaries.

8. Step 7: Tie It All Together with OpenCRE and Smithy

  • Information Hub: Use OpenCRE to map OWASP resources to specific needs and workflows.
  • Example: Link ASVS requirements to training, tools, and remediation guides

9. Next Steps: Build Momentum

  • Automate more! Ideas:
  • Generate threat models and SBOMs per pull request.
  • Comment with SAST/DAST findings directly in code reviews.

10. Closing Notes: Standing on the Shoulders of Giants

  • A heartfelt thank you to the OWASP community and contributors.
  • Encourage attendees to join the community, contribute to OWASP, and take full advantage of open-source tools and frameworks.
Are you releasing a tool? – yes
spyros gasteratos

Spyros has over 15 years of experience in the security world. Since the beginning of his career he has been an avid supporter and contributor of open source software and an OWASP volunteer. Currently he is interested in the harmonization of security tools and information and is currently helping Fintechs setup and automate large parts of their AppSec programmes. He also maintains several Open Source projects including the security automation framework Smithy, and opencre.org, the worlds largest