Introduction to Open Source Security Tools

Introduction to Open Source Security Tools

My GitHub webcast for Cyber Security Month.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

October 19, 2017
Tweet

Transcript

  1. 2.

    Intro: @sroberts • Scott J Roberts • Security Ops Manager:

    Response • With GitHub 5 years • Python, Golang, & JavaScript Developer • Author of O’Reilly’s Intelligence Driven Incident Response with @pdxbek
  2. 3.

    Intro: This Talk • Our favorite Open Source Security Tools

    • The project, people, tech, & involvement • Protecting your Code on GitHub • What Makes Awesome Open Source Projects
  3. 6.

    facebook/osquery: what? • osquery is an operating system instrumentation framework

    for OS X/macOS, Windows, and Linux. The tools make low- level operating system analytics and monitoring both performant and intuitive. • Billed at “Deployable, Flexible, Fast and Tested” • Allows a system (or collection of systems) to be interrogated as a series of SQL tables
  4. 7.

    facebook/osquery: who? • Sponsored & managed by Facebook • 163

    total contributors to facebook/osquery • Multiple open (and closed) source 3rd party related tools • Active Slack Channel with 599 members
  5. 8.

    facebook/osquery: tech? • Built using C++ • Data storage via

    Facebook’s RocksDB • Aimed at MacOS & Linux originally, ported to Windows by Trail Of Bits
  6. 11.

    facebook/osquery: involved • 4018 commits* • 2360 PRs Closed (20

    Open) • 1318 Issues Closed (104 Open) • Check labels easy and good-first-issue • osquery.io & github.com/facebook/osquery * All stats as of 2017-10-18 ~20:00 GMT
  7. 12.

    gchq/cyberchef The Cyber Swiss Army Knife - a web app

    for encryption, encoding, compression and data analysis
  8. 13.

    The Project • Client side, browser based data manipulation UI

    • Packaged as a single HTML document with JS & CSS • Internally built and open sourced by a large organization
  9. 14.

    gchq/cyberchef: what? • The Cyber Swiss Army Knife - a

    web app for encryption, encoding, compression and data analysis • An analyst centric web browser based tool for common data manipulation used in investigations
  10. 15.

    gchq/cyberchef: who? • GCHQ - United Kingdom’s Signals Intelligence &

    Information Assurance organization • 15 contributors
  11. 16.

    gchq/cyberchef: tech? • JavaScript (with Babel), HTML, & CSS (via

    Less) packaged together • jquery & Bootstrap • Automation: Grunt & Webpack
  12. 27.

    gchq/cyberchef: involved • 634 commits • 98 PRs Closed (5

    Open) • 75 Issues Closed (19 Open) • Check labels help wanted • gchq.github.io/CyberChef/ & github.com/gchq/cyberchef
  13. 29.

    The Project • Created by an individual (Phillip!) for their

    own needs • A modern rewrite of legacy gamelinux/passivedns • Infrastructure Micro Service • Demonstrates the power one developer can have solving their own problem and sharing the result
  14. 30.
  15. 31.

    phillipmartin/gopassivedns: who? • Created by an individual (Phillip!) for their

    own need • Four Contributors • No corporate sponsorship
  16. 34.

    phillipmartin/gopassivedns: involved • 54 commits • 11 PRs Closed (1

    Open) • 10 Issues Closed (11 Open) • Check labels help wanted • https://github.com/phillipmartin/gopassivedns
  17. 36.

    The Project • Infrastructure as Code • Open source replacement

    for closed source tools • Built by a security consultancy and research organization then shared as open source
  18. 37.

    trailofbits/algo: what? • Set up a personal IPSEC VPN in

    the cloud • Ansible playbooks for creating a preconfigured IPSec VPN service on personal hardware or cloud providers
  19. 39.

    trailofbits/algo: tech? • Ansible Playbooks • Built for running with

    cloud platforms like DigitalOcean, Azure, EC2.
  20. 41.

    trailofbits/algo: involved • 691 commits • 172 PRs Closed (3

    Open) • 464 Issues Closed (57 Open) • Check labels documentation • github.com/trailofbits/algo
  21. 43.

    The Project • Detection as Code • Showing how to

    share not just tools but indicators of compromise
  22. 44.

    Yara-Rules/rules: what? • Repository of yara rules • Yara is

    “The pattern matching swiss knife for malware researchers” (See virustotal.github.io/yara for more) • “Antivirus you update with at git pull” ~@tomchop_ • Makes it easier to identify malware or malicious patterns in various tools
  23. 49.

    Yara-Rules/rules: involved • 1414 commits • 130 PRs Closed (1

    Open) • 139 Issues Closed (2 Open) • Check labels help wanted • github.com/Yara-Rules/rules & http://yararules.com/
  24. 51.

    As a Contributor • Fix your own problems. • Documentation

    & testing are highly underrated! • Look for issues marked help wanted. • Get involved and create something!
  25. 52.

    As a Maintainer • Consistency is huge. Get others involved

    as necessary. • Even if it means passing off a project. • Set expectations for contribution and behavior. • Mark issues for new contributors like help wanted or good first issue. • Use the tools: project boards, issue templates, CI, etc.
  26. 54.

    Securing GitHub Accounts • Strong Passwords • 2FA (U2F or

    TOTP (and technically SMS)) • Emails, keys, & Applications
  27. 55.

    Securing Organizations • Audit Collaborators • Audit Integrations • Enable

    2FA Enforcement • Require Application Approval • Use Single Sign On/SAML
  28. 56.

    Securing Repositories • Audit Collaborators • Use Protected Branches •

    Audit Webhooks, Integrations, & Deploy Keys • https://www.bountysource.com/
  29. 57.

    Testing & CI • Use tests to ensure code does

    what you expect • Require tests for new code • Require passing CI before merging • Static Analysis Tools like presidentbeef/breakman • See github.com/mre/awesome-static-analysis
  30. 58.

    Community Management & Engagement • Comprehensive README describing the project

    & direction • Be responsive in issues & pull requests • Set expectations & hold people to expectations • Call out easy places to get started • Try: github.com/pennwynn/flint
  31. 60.

    Security Showcase & Awesome Lists • https://github.com/sbilly/awesome-security • https://github.com/rshipp/awesome-malware-analysis •

    https://github.com/meirwah/awesome-incident-response • https://github.com/enaqx/awesome-pentest • https://github.com/InQuest/awesome-yara
  32. 63.