Lock in $30 Savings on PRO—Offer Ends Soon! ⏳

Introduction to Open Source Security Tools

Introduction to Open Source Security Tools

My GitHub webcast for Cyber Security Month.

Scott J. Roberts

October 19, 2017
Tweet

More Decks by Scott J. Roberts

Other Decks in Technology

Transcript

  1. Intro: @sroberts • Scott J Roberts • Security Ops Manager:

    Response • With GitHub 5 years • Python, Golang, & JavaScript Developer • Author of O’Reilly’s Intelligence Driven Incident Response with @pdxbek
  2. Intro: This Talk • Our favorite Open Source Security Tools

    • The project, people, tech, & involvement • Protecting your Code on GitHub • What Makes Awesome Open Source Projects
  3. facebook/osquery: what? • osquery is an operating system instrumentation framework

    for OS X/macOS, Windows, and Linux. The tools make low- level operating system analytics and monitoring both performant and intuitive. • Billed at “Deployable, Flexible, Fast and Tested” • Allows a system (or collection of systems) to be interrogated as a series of SQL tables
  4. facebook/osquery: who? • Sponsored & managed by Facebook • 163

    total contributors to facebook/osquery • Multiple open (and closed) source 3rd party related tools • Active Slack Channel with 599 members
  5. facebook/osquery: tech? • Built using C++ • Data storage via

    Facebook’s RocksDB • Aimed at MacOS & Linux originally, ported to Windows by Trail Of Bits
  6. facebook/osquery: involved • 4018 commits* • 2360 PRs Closed (20

    Open) • 1318 Issues Closed (104 Open) • Check labels easy and good-first-issue • osquery.io & github.com/facebook/osquery * All stats as of 2017-10-18 ~20:00 GMT
  7. gchq/cyberchef The Cyber Swiss Army Knife - a web app

    for encryption, encoding, compression and data analysis
  8. The Project • Client side, browser based data manipulation UI

    • Packaged as a single HTML document with JS & CSS • Internally built and open sourced by a large organization
  9. gchq/cyberchef: what? • The Cyber Swiss Army Knife - a

    web app for encryption, encoding, compression and data analysis • An analyst centric web browser based tool for common data manipulation used in investigations
  10. gchq/cyberchef: who? • GCHQ - United Kingdom’s Signals Intelligence &

    Information Assurance organization • 15 contributors
  11. gchq/cyberchef: tech? • JavaScript (with Babel), HTML, & CSS (via

    Less) packaged together • jquery & Bootstrap • Automation: Grunt & Webpack
  12. gchq/cyberchef: involved • 634 commits • 98 PRs Closed (5

    Open) • 75 Issues Closed (19 Open) • Check labels help wanted • gchq.github.io/CyberChef/ & github.com/gchq/cyberchef
  13. The Project • Created by an individual (Phillip!) for their

    own needs • A modern rewrite of legacy gamelinux/passivedns • Infrastructure Micro Service • Demonstrates the power one developer can have solving their own problem and sharing the result
  14. phillipmartin/gopassivedns: who? • Created by an individual (Phillip!) for their

    own need • Four Contributors • No corporate sponsorship
  15. phillipmartin/gopassivedns: involved • 54 commits • 11 PRs Closed (1

    Open) • 10 Issues Closed (11 Open) • Check labels help wanted • https://github.com/phillipmartin/gopassivedns
  16. The Project • Infrastructure as Code • Open source replacement

    for closed source tools • Built by a security consultancy and research organization then shared as open source
  17. trailofbits/algo: what? • Set up a personal IPSEC VPN in

    the cloud • Ansible playbooks for creating a preconfigured IPSec VPN service on personal hardware or cloud providers
  18. trailofbits/algo: tech? • Ansible Playbooks • Built for running with

    cloud platforms like DigitalOcean, Azure, EC2.
  19. trailofbits/algo: involved • 691 commits • 172 PRs Closed (3

    Open) • 464 Issues Closed (57 Open) • Check labels documentation • github.com/trailofbits/algo
  20. The Project • Detection as Code • Showing how to

    share not just tools but indicators of compromise
  21. Yara-Rules/rules: what? • Repository of yara rules • Yara is

    “The pattern matching swiss knife for malware researchers” (See virustotal.github.io/yara for more) • “Antivirus you update with at git pull” ~@tomchop_ • Makes it easier to identify malware or malicious patterns in various tools
  22. Yara-Rules/rules: involved • 1414 commits • 130 PRs Closed (1

    Open) • 139 Issues Closed (2 Open) • Check labels help wanted • github.com/Yara-Rules/rules & http://yararules.com/
  23. As a Contributor • Fix your own problems. • Documentation

    & testing are highly underrated! • Look for issues marked help wanted. • Get involved and create something!
  24. As a Maintainer • Consistency is huge. Get others involved

    as necessary. • Even if it means passing off a project. • Set expectations for contribution and behavior. • Mark issues for new contributors like help wanted or good first issue. • Use the tools: project boards, issue templates, CI, etc.
  25. Securing GitHub Accounts • Strong Passwords • 2FA (U2F or

    TOTP (and technically SMS)) • Emails, keys, & Applications
  26. Securing Organizations • Audit Collaborators • Audit Integrations • Enable

    2FA Enforcement • Require Application Approval • Use Single Sign On/SAML
  27. Securing Repositories • Audit Collaborators • Use Protected Branches •

    Audit Webhooks, Integrations, & Deploy Keys • https://www.bountysource.com/
  28. Testing & CI • Use tests to ensure code does

    what you expect • Require tests for new code • Require passing CI before merging • Static Analysis Tools like presidentbeef/breakman • See github.com/mre/awesome-static-analysis
  29. Community Management & Engagement • Comprehensive README describing the project

    & direction • Be responsive in issues & pull requests • Set expectations & hold people to expectations • Call out easy places to get started • Try: github.com/pennwynn/flint
  30. Security Showcase & Awesome Lists • https://github.com/sbilly/awesome-security • https://github.com/rshipp/awesome-malware-analysis •

    https://github.com/meirwah/awesome-incident-response • https://github.com/enaqx/awesome-pentest • https://github.com/InQuest/awesome-yara