Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Introduction to Open Source Security Tools

Introduction to Open Source Security Tools

My GitHub webcast for Cyber Security Month.

Ded29c7918dce50c65131df03c769004?s=128

Scott J. Roberts

October 19, 2017
Tweet

More Decks by Scott J. Roberts

Other Decks in Technology

Transcript

  1. Introduction to Open Source Security Tools Running awesome open source

    security projects
  2. Intro: @sroberts • Scott J Roberts • Security Ops Manager:

    Response • With GitHub 5 years • Python, Golang, & JavaScript Developer • Author of O’Reilly’s Intelligence Driven Incident Response with @pdxbek
  3. Intro: This Talk • Our favorite Open Source Security Tools

    • The project, people, tech, & involvement • Protecting your Code on GitHub • What Makes Awesome Open Source Projects
  4. facebook/osquery SQL powered operating system instrumentation, monitoring, and analytics.

  5. The Project • Corporate sponsored project • System level service

    • Open sourced an internal tool
  6. facebook/osquery: what? • osquery is an operating system instrumentation framework

    for OS X/macOS, Windows, and Linux. The tools make low- level operating system analytics and monitoring both performant and intuitive. • Billed at “Deployable, Flexible, Fast and Tested” • Allows a system (or collection of systems) to be interrogated as a series of SQL tables
  7. facebook/osquery: who? • Sponsored & managed by Facebook • 163

    total contributors to facebook/osquery • Multiple open (and closed) source 3rd party related tools • Active Slack Channel with 599 members
  8. facebook/osquery: tech? • Built using C++ • Data storage via

    Facebook’s RocksDB • Aimed at MacOS & Linux originally, ported to Windows by Trail Of Bits
  9. facebook/osquery: demo

  10. facebook/osquery: demo

  11. facebook/osquery: involved • 4018 commits* • 2360 PRs Closed (20

    Open) • 1318 Issues Closed (104 Open) • Check labels easy and good-first-issue • osquery.io & github.com/facebook/osquery * All stats as of 2017-10-18 ~20:00 GMT
  12. gchq/cyberchef The Cyber Swiss Army Knife - a web app

    for encryption, encoding, compression and data analysis
  13. The Project • Client side, browser based data manipulation UI

    • Packaged as a single HTML document with JS & CSS • Internally built and open sourced by a large organization
  14. gchq/cyberchef: what? • The Cyber Swiss Army Knife - a

    web app for encryption, encoding, compression and data analysis • An analyst centric web browser based tool for common data manipulation used in investigations
  15. gchq/cyberchef: who? • GCHQ - United Kingdom’s Signals Intelligence &

    Information Assurance organization • 15 contributors
  16. gchq/cyberchef: tech? • JavaScript (with Babel), HTML, & CSS (via

    Less) packaged together • jquery & Bootstrap • Automation: Grunt & Webpack
  17. gchq/cyberchef: demo

  18. gchq/cyberchef: demo

  19. gchq/cyberchef: demo

  20. gchq/cyberchef: demo

  21. gchq/cyberchef: demo

  22. gchq/cyberchef: demo

  23. gchq/cyberchef: demo

  24. gchq/cyberchef: demo

  25. gchq/cyberchef: demo

  26. gchq/cyberchef: demo

  27. gchq/cyberchef: involved • 634 commits • 98 PRs Closed (5

    Open) • 75 Issues Closed (19 Open) • Check labels help wanted • gchq.github.io/CyberChef/ & github.com/gchq/cyberchef
  28. phillipmartin/ gopassivedns PassiveDNS in Go

  29. The Project • Created by an individual (Phillip!) for their

    own needs • A modern rewrite of legacy gamelinux/passivedns • Infrastructure Micro Service • Demonstrates the power one developer can have solving their own problem and sharing the result
  30. phillipmartin/gopassivedns: what? • Network-based DNS logging in Go • Listens

    on the network for DNS lookups and logging results
  31. phillipmartin/gopassivedns: who? • Created by an individual (Phillip!) for their

    own need • Four Contributors • No corporate sponsorship
  32. phillipmartin/gopassivedns: tech? • Pure Golang • Integrates with libpcap &

    libpcap-dev • Outputs to syslog & kafka
  33. phillipmartin/gopassivedns: demo

  34. phillipmartin/gopassivedns: involved • 54 commits • 11 PRs Closed (1

    Open) • 10 Issues Closed (11 Open) • Check labels help wanted • https://github.com/phillipmartin/gopassivedns
  35. trailofbits/algo Set up a personal IPSEC VPN in the cloud

  36. The Project • Infrastructure as Code • Open source replacement

    for closed source tools • Built by a security consultancy and research organization then shared as open source
  37. trailofbits/algo: what? • Set up a personal IPSEC VPN in

    the cloud • Ansible playbooks for creating a preconfigured IPSec VPN service on personal hardware or cloud providers
  38. trailofbits/algo: who? • Trail of Bits • 64 contributors

  39. trailofbits/algo: tech? • Ansible Playbooks • Built for running with

    cloud platforms like DigitalOcean, Azure, EC2.
  40. trailofbits/algo: demo • N/A… but try it!

  41. trailofbits/algo: involved • 691 commits • 172 PRs Closed (3

    Open) • 464 Issues Closed (57 Open) • Check labels documentation • github.com/trailofbits/algo
  42. Yara-Rules/rules Repository of yara rules

  43. The Project • Detection as Code • Showing how to

    share not just tools but indicators of compromise
  44. Yara-Rules/rules: what? • Repository of yara rules • Yara is

    “The pattern matching swiss knife for malware researchers” (See virustotal.github.io/yara for more) • “Antivirus you update with at git pull” ~@tomchop_ • Makes it easier to identify malware or malicious patterns in various tools
  45. Yara-Rules/rules: who? • Community Driven Project • 41 Contributors

  46. Yara-Rules/rules: tech? • Yara + Shell for Testing • Travis

    for Continuous Integration
  47. Yara-Rules/rules: demo

  48. Yara-Rules/rules: demo

  49. Yara-Rules/rules: involved • 1414 commits • 130 PRs Closed (1

    Open) • 139 Issues Closed (2 Open) • Check labels help wanted • github.com/Yara-Rules/rules & http://yararules.com/
  50. Running Awesome Open Source Projects

  51. As a Contributor • Fix your own problems. • Documentation

    & testing are highly underrated! • Look for issues marked help wanted. • Get involved and create something!
  52. As a Maintainer • Consistency is huge. Get others involved

    as necessary. • Even if it means passing off a project. • Set expectations for contribution and behavior. • Mark issues for new contributors like help wanted or good first issue. • Use the tools: project boards, issue templates, CI, etc.
  53. Keeping Open (& Closed) Code Secure on GitHub

  54. Securing GitHub Accounts • Strong Passwords • 2FA (U2F or

    TOTP (and technically SMS)) • Emails, keys, & Applications
  55. Securing Organizations • Audit Collaborators • Audit Integrations • Enable

    2FA Enforcement • Require Application Approval • Use Single Sign On/SAML
  56. Securing Repositories • Audit Collaborators • Use Protected Branches •

    Audit Webhooks, Integrations, & Deploy Keys • https://www.bountysource.com/
  57. Testing & CI • Use tests to ensure code does

    what you expect • Require tests for new code • Require passing CI before merging • Static Analysis Tools like presidentbeef/breakman • See github.com/mre/awesome-static-analysis
  58. Community Management & Engagement • Comprehensive README describing the project

    & direction • Be responsive in issues & pull requests • Set expectations & hold people to expectations • Call out easy places to get started • Try: github.com/pennwynn/flint
  59. Hacktoberfest • Sponsored by DigitalOcean • Search: “label:hacktoberfest state:open type:issue”

  60. Security Showcase & Awesome Lists • https://github.com/sbilly/awesome-security • https://github.com/rshipp/awesome-malware-analysis •

    https://github.com/meirwah/awesome-incident-response • https://github.com/enaqx/awesome-pentest • https://github.com/InQuest/awesome-yara
  61. Check out https://guides.github.com/ & https://git.io/vdQr3 — Now go help build

    something awesome!
  62. Questions? Use the GoToWebinar Interface

  63. None