Tweet
Tweet

Slide 1

Slide 1 text

Introduction to Open Source Security Tools Running awesome open source security projects

Slide 2

Slide 2 text

Intro: @sroberts • Scott J Roberts • Security Ops Manager: Response • With GitHub 5 years • Python, Golang, & JavaScript Developer • Author of O’Reilly’s Intelligence Driven Incident Response with @pdxbek

Slide 3

Slide 3 text

Intro: This Talk • Our favorite Open Source Security Tools • The project, people, tech, & involvement • Protecting your Code on GitHub • What Makes Awesome Open Source Projects

Slide 4

Slide 4 text

facebook/osquery SQL powered operating system instrumentation, monitoring, and analytics.

Slide 5

Slide 5 text

The Project • Corporate sponsored project • System level service • Open sourced an internal tool

Slide 6

Slide 6 text

facebook/osquery: what? • osquery is an operating system instrumentation framework for OS X/macOS, Windows, and Linux. The tools make low- level operating system analytics and monitoring both performant and intuitive. • Billed at “Deployable, Flexible, Fast and Tested” • Allows a system (or collection of systems) to be interrogated as a series of SQL tables

Slide 7

Slide 7 text

facebook/osquery: who? • Sponsored & managed by Facebook • 163 total contributors to facebook/osquery • Multiple open (and closed) source 3rd party related tools • Active Slack Channel with 599 members

Slide 8

Slide 8 text

facebook/osquery: tech? • Built using C++ • Data storage via Facebook’s RocksDB • Aimed at MacOS & Linux originally, ported to Windows by Trail Of Bits

Slide 9

Slide 9 text

facebook/osquery: demo

Slide 10

Slide 10 text

facebook/osquery: demo

Slide 11

Slide 11 text

facebook/osquery: involved • 4018 commits* • 2360 PRs Closed (20 Open) • 1318 Issues Closed (104 Open) • Check labels easy and good-first-issue • osquery.io & github.com/facebook/osquery * All stats as of 2017-10-18 ~20:00 GMT

Slide 12

Slide 12 text

gchq/cyberchef The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis

Slide 13

Slide 13 text

The Project • Client side, browser based data manipulation UI • Packaged as a single HTML document with JS & CSS • Internally built and open sourced by a large organization

Slide 14

Slide 14 text

gchq/cyberchef: what? • The Cyber Swiss Army Knife - a web app for encryption, encoding, compression and data analysis • An analyst centric web browser based tool for common data manipulation used in investigations

Slide 15

Slide 15 text

gchq/cyberchef: who? • GCHQ - United Kingdom’s Signals Intelligence & Information Assurance organization • 15 contributors

Slide 16

Slide 16 text

gchq/cyberchef: tech? • JavaScript (with Babel), HTML, & CSS (via Less) packaged together • jquery & Bootstrap • Automation: Grunt & Webpack

Slide 17

Slide 17 text

gchq/cyberchef: demo

Slide 18

Slide 18 text

gchq/cyberchef: demo

Slide 19

Slide 19 text

gchq/cyberchef: demo

Slide 20

Slide 20 text

gchq/cyberchef: demo

Slide 21

Slide 21 text

gchq/cyberchef: demo

Slide 22

Slide 22 text

gchq/cyberchef: demo

Slide 23

Slide 23 text

gchq/cyberchef: demo

Slide 24

Slide 24 text

gchq/cyberchef: demo

Slide 25

Slide 25 text

gchq/cyberchef: demo

Slide 26

Slide 26 text

gchq/cyberchef: demo

Slide 27

Slide 27 text

gchq/cyberchef: involved • 634 commits • 98 PRs Closed (5 Open) • 75 Issues Closed (19 Open) • Check labels help wanted • gchq.github.io/CyberChef/ & github.com/gchq/cyberchef

Slide 28

Slide 28 text

phillipmartin/ gopassivedns PassiveDNS in Go

Slide 29

Slide 29 text

The Project • Created by an individual (Phillip!) for their own needs • A modern rewrite of legacy gamelinux/passivedns • Infrastructure Micro Service • Demonstrates the power one developer can have solving their own problem and sharing the result

Slide 30

Slide 30 text

phillipmartin/gopassivedns: what? • Network-based DNS logging in Go • Listens on the network for DNS lookups and logging results

Slide 31

Slide 31 text

phillipmartin/gopassivedns: who? • Created by an individual (Phillip!) for their own need • Four Contributors • No corporate sponsorship

Slide 32

Slide 32 text

phillipmartin/gopassivedns: tech? • Pure Golang • Integrates with libpcap & libpcap-dev • Outputs to syslog & kafka

Slide 33

Slide 33 text

phillipmartin/gopassivedns: demo

Slide 34

Slide 34 text

phillipmartin/gopassivedns: involved • 54 commits • 11 PRs Closed (1 Open) • 10 Issues Closed (11 Open) • Check labels help wanted • https://github.com/phillipmartin/gopassivedns

Slide 35

Slide 35 text

trailofbits/algo Set up a personal IPSEC VPN in the cloud

Slide 36

Slide 36 text

The Project • Infrastructure as Code • Open source replacement for closed source tools • Built by a security consultancy and research organization then shared as open source

Slide 37

Slide 37 text

trailofbits/algo: what? • Set up a personal IPSEC VPN in the cloud • Ansible playbooks for creating a preconfigured IPSec VPN service on personal hardware or cloud providers

Slide 38

Slide 38 text

trailofbits/algo: who? • Trail of Bits • 64 contributors

Slide 39

Slide 39 text

trailofbits/algo: tech? • Ansible Playbooks • Built for running with cloud platforms like DigitalOcean, Azure, EC2.

Slide 40

Slide 40 text

trailofbits/algo: demo • N/A… but try it!

Slide 41

Slide 41 text

trailofbits/algo: involved • 691 commits • 172 PRs Closed (3 Open) • 464 Issues Closed (57 Open) • Check labels documentation • github.com/trailofbits/algo

Slide 42

Slide 42 text

Yara-Rules/rules Repository of yara rules

Slide 43

Slide 43 text

The Project • Detection as Code • Showing how to share not just tools but indicators of compromise

Slide 44

Slide 44 text

Yara-Rules/rules: what? • Repository of yara rules • Yara is “The pattern matching swiss knife for malware researchers” (See virustotal.github.io/yara for more) • “Antivirus you update with at git pull” ~@tomchop_ • Makes it easier to identify malware or malicious patterns in various tools

Slide 45

Slide 45 text

Yara-Rules/rules: who? • Community Driven Project • 41 Contributors

Slide 46

Slide 46 text

Yara-Rules/rules: tech? • Yara + Shell for Testing • Travis for Continuous Integration

Slide 47

Slide 47 text

Yara-Rules/rules: demo

Slide 48

Slide 48 text

Yara-Rules/rules: demo

Slide 49

Slide 49 text

Yara-Rules/rules: involved • 1414 commits • 130 PRs Closed (1 Open) • 139 Issues Closed (2 Open) • Check labels help wanted • github.com/Yara-Rules/rules & http://yararules.com/

Slide 50

Slide 50 text

Running Awesome Open Source Projects

Slide 51

Slide 51 text

As a Contributor • Fix your own problems. • Documentation & testing are highly underrated! • Look for issues marked help wanted. • Get involved and create something!

Slide 52

Slide 52 text

As a Maintainer • Consistency is huge. Get others involved as necessary. • Even if it means passing off a project. • Set expectations for contribution and behavior. • Mark issues for new contributors like help wanted or good first issue. • Use the tools: project boards, issue templates, CI, etc.

Slide 53

Slide 53 text

Keeping Open (& Closed) Code Secure on GitHub

Slide 54

Slide 54 text

Securing GitHub Accounts • Strong Passwords • 2FA (U2F or TOTP (and technically SMS)) • Emails, keys, & Applications

Slide 55

Slide 55 text

Securing Organizations • Audit Collaborators • Audit Integrations • Enable 2FA Enforcement • Require Application Approval • Use Single Sign On/SAML

Slide 56

Slide 56 text

Securing Repositories • Audit Collaborators • Use Protected Branches • Audit Webhooks, Integrations, & Deploy Keys • https://www.bountysource.com/

Slide 57

Slide 57 text

Testing & CI • Use tests to ensure code does what you expect • Require tests for new code • Require passing CI before merging • Static Analysis Tools like presidentbeef/breakman • See github.com/mre/awesome-static-analysis

Slide 58

Slide 58 text

Community Management & Engagement • Comprehensive README describing the project & direction • Be responsive in issues & pull requests • Set expectations & hold people to expectations • Call out easy places to get started • Try: github.com/pennwynn/flint

Slide 59

Slide 59 text

Hacktoberfest • Sponsored by DigitalOcean • Search: “label:hacktoberfest state:open type:issue”

Slide 60

Slide 60 text

Security Showcase & Awesome Lists • https://github.com/sbilly/awesome-security • https://github.com/rshipp/awesome-malware-analysis • https://github.com/meirwah/awesome-incident-response • https://github.com/enaqx/awesome-pentest • https://github.com/InQuest/awesome-yara

Slide 61

Slide 61 text

Check out https://guides.github.com/ & https://git.io/vdQr3 — Now go help build something awesome!

Slide 62

Slide 62 text

Questions? Use the GoToWebinar Interface

Slide 63

Slide 63 text

No content